1

We have a custom middleware in a ASP.NET core 2.1 application that verifies the validity of a client certificate. The cert is not self signed and is a signed by a trusted CA. The application is hosted in Azure app service. We get this the following response from the chainstatus. What could be the issue?

"The revocation function was unable to check revocation for the certificate,The revocation function was unable to check revocation because the revocation server was offline".

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
var verified = ch.Build(x509Certificate2);

when we change RevocationMode to online it works for the most part but in some cases we get the same chainstatus "The revocation function was unable to check revocation for the certificate,The revocation function was unable to check revocation because the revocation server was offline".

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
var verified = ch.Build(x509Certificate2);
Improve this question

1 Answer 1

Reset to default
2

When you use X509RevocationMode.Offline, then validation will most likely fail, because CryptoAPI will look only for locally cached revocation information, which is unlikely exist on server.

When you use X509RevocationMode.Online, then CryptoAPI will try to reach revocation servers (as specified in CDP and AIA extensions) to retrieve revocation information for every certificate in the chain. If revocation information is not accessible for any certificate, or it is stale, then you will get RevocationOffline error. In such cases, you may need to debug every URL in CDP and AIA extension for every certificate and figure out what is wrong there.

In addition, RevocationOffline error is raised when URL is accessible, but the timeout for URL is expired.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.