Search code examples
c#.netcertificatecertificate-revocation

X509Chain.Build() succeeding for revoked certificate. C#

I create a certificate request like this:

certreq -new req.inf req-Revoked.req
certreq -submit -attrib "SAN:email=ttesting@Test.Domain&upn=1234567890@Test.Domain" -config Win2K8-64\Test-Win2K8-64-CA req-Revoked.req testerCert-Revoked.cer
certreq -accept testerCert-Revoked.cer
CertUtil -f -p testerCert -exportPFX -user My Testing.Tester.T.1234567890 testerCert-Revoked.pfx
CertUtil -delstore -user My Testing.Tester.T.1234567890

Then I revoke it, via:

CertUtil -revoke <SerialNumber_from_above_Cert>

I then execute this code:

X509Certificate2 certificate = GetCertificate("testerCert-Revoked.pfx", "password"); // helper method loads the pfx from a file
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

if (!chain.Build(certificate))
{
  errorBuffer.Append("Could not build X.509 certificate chain:\r\n");
  foreach (X509ChainStatus status in chain.ChainStatus)
  {
    errorBuffer.AppendFormat("  - {0}\r\n", status.StatusInformation);
  }
  throw new CryptographicException(errorBuffer.ToString());
}

chain.Build() always returns true. But since the certificate is revoked, it should be False! I've double-checked that the certificate is revoked, and that the serial number is listed in the Server Manager under revoked certificates. I've double-checked that the CURL distribution point urls match on the server and the certificate requests. (they're LDAP urls). CertUtil sees the intermediate .cer file as revoked. But the C# code above doesn't.

This all worked before the original CA expired, and IT rebuilt my test machine with a new cert. I've regenerated the certs with the new CA, and every single unit tests works again, except the ones that deal with revocation. Expired certs work as expected, but not revoked certs.

I'm at a loss for what to do next to get this code working again, and would love some help. Thanks!

Solution

  • Turns out the problem was an application called Tumbleweed. It was installed on the server, and was intercepting all revocation requests. Disabling the Tumbleweed service fixed my problem entirely.

    Charles.