问题
I am attempting to validate that a certificate has not been revoked using an X509Chain in C#.
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
chain.Build(certificate);
This returns a status of:
The revocation function was unable to check revocation for the certificate
I do want to check for revoked certificates, not just switch off the error.
How do I resolve this problem or at least get a better idea of the cause (for example, how do I find out where it is checking for a CRL?)
回答1:
Revocation check includes checking certificate status in CRL and use of OCSP for online checking of status. Documentation suggests that .NET checks only CRL, but "Online" probably means that the CRL should be downloaded. In this case your error can mean that the CRL location could not be found (not present in the certificate) or it could not be reached.
First step to take is inspect whether the certificate contains a CRL location. You can see this in certificate properties - there's a CRL Distribution Point extension there.
If CRL location is present and it points to HTTP/HTTPS URL, you can check that URL to see if it's accessible.
Unfortunately while these steps can be automated, they don't cover any source of the problem - the CRL can be malformed or the server could return not a CRL (but an error response, for example) or the signature on the CRL was invalid. So above steps will give you only basic information about the problem.
I don't know if .NET is able to produce more meaningful description of the failure. In our components (SecureBlackbox) we provide more details about failures, and still this question is the one we receive often in technical support despite presence of the extensive FAQ article on this topic.
来源:https://stackoverflow.com/questions/13882418/the-revocation-function-was-unable-to-check-revocation-for-the-certificate