The process of installing a rollup for Exchange 2010 can take a lot of time when you have a bad/no internet connection. One of the causes for this is the validation process of the digital signature of the .NET Framework components. When having a bad/no internet connection this can slow down the process, this because of the default time-out of 15000 miliseconds for a single CRL check up to 20000 miliseconds for checking all CRL’s.

A while ago the Microsoft Exchange team posted a blog what you can do to increase this time. This can be done by making changes in the registry which will, for example, increase the default time-out.

Starting from Exchange 2010 SP1 rollup 2 a new feature is introduced. The setup will check if CRL checking is enabled and if so it will prompt you with a warning:

To solve this issue you might decide to turn off CRL checking temporarily, this can be done by performing the following steps:

  • start Internet Explorer
  • go to Tools
  • select Internet Options
  • select the tab_ Advanced_
  • search for the Security item
  • disable the following option: Check for publisher’s certificate revocation

Restart the setup and you won’t get the warning again. Disabling this option is not a best practice of  course because the digital signature isn’t checked. So disable this option only if you have no or a very bad internet connection.

Don’t forget to enable the option once finished installing the rollup.


Johan Veldhuis