The only way I can validate a certificate is by setting the VerificationFlags property of the X509ChainPolicy object to the IgnoreEndRevocationUnknown flag.
The certificate I'm validating is a valid ssl certificate, created by me from a CA certificate which I also created. The Certification Path tab of the certificate (viewed in Windows Explorer) shows no problems with a message This certificate is OK.
If I do not use the IgnoreEndRevocationUnknown flag, I get a StatusInformation that The revocation function was unable to check revocation for the certificate.
So, I'm not sure why I'm getting that and need to use the flag at all. Here is some code:
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Find(
X509FindType.FindBySubjectName,
"DaveSvrCert", false
)[0];
var chain = new X509Chain();
var policy = new X509ChainPolicy
{
RevocationFlag = X509RevocationFlag.EntireChain,
RevocationMode = X509RevocationMode.Online,
VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown
};
chain.ChainPolicy = policy;
if (!chain.Build(cert))
{
foreach (var chainElement in chain.ChainElements)
{
foreach (var chainElementStatus in chainElement.ChainElementStatus)
{
Console.WriteLine(chainElementStatus.Status + ": ");
Console.WriteLine(chainElementStatus.StatusInformation);
}
}
}
Cheers!
The IgnoreEndRevocationUnknown ignores RevocationOffline errors. These errors are caused when CA is improperly configured and do not provide certificate revocation information:
CRL Distiribution Points certificate extensionCRL Distiribution Points is presented, but none of the URLs are accessible by the client.Some applications use this flag by default, however I would strongly recommend to fix this issue by including CDP extension with globally available and accessible URLs for CRL download.
And do not use this flag, as it opens a security breach when client successfully validates and accepts revoked certificate.