Search code examples
c#certificateclient-certificatesx509certificate2

Create a Certificate Revocation List (CRL) with makecert and then bundle it to a .pfx with pvk2pfx

To authenticate an application internally with client certification I have created a Root Certificate and the client certificate using the makecert application.

Everything works well but when I use the X509Certificate2 Verify method I get the following error:

The revocation function was unable to check revocation for the certificate

X509Certificate2 cert = actionContext.Request.GetClientCertificate();
cert.Verify();

I can get around this by creating a X509Chain and then set X509ChainPolicy to RevocationMode = X509RevocationMode.NoCheck.

X509Certificate2 cert = actionContext.Request.GetClientCertificate();

if (cert == null)
{
    actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized)
    {
        ReasonPhrase = "Client Certificate Required"
    };
}
else
{
    X509Chain chain = new X509Chain();

    //Needed because the error "The revocation function was unable to check revocation for the certificate" will happen otherwise
    chain.ChainPolicy = new X509ChainPolicy()
    {
        RevocationMode = X509RevocationMode.NoCheck,
    };
    try
    {
        var chainBuilt = chain.Build(cert);
        Debug.WriteLine(string.Format("Chain building status: {0}", chainBuilt));

        if (chainBuilt == false)
        {
            actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized)
            {
                ReasonPhrase = "Client Certificate not valid"
            };
            foreach (X509ChainStatus chainStatus in chain.ChainStatus)
            {
                Debug.WriteLine(string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
            }
        }
    }
    catch (Exception e)
    {
        Debug.WriteLine(e.ToString());
    }
}

However this got me interested. Is there someway that I can create a Certificate Revocation List (CRL) with makecert and then bundle it to a .pfx with pvk2pfx that will be accepted by X509Certificate2 Verify?

Solution

  • Found a solution on msdn.

    https://msdn.microsoft.com/en-us/library/ff648732.aspx

    After you have created your Root Certificate run the following command:

    makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl

    Install the CRL file on both the server and client machines. Use MMC to install RootCATes.crl on the client and server machines in the Trusted Root Certification Authorities store.

    MMC -> File -> Add or Remove Snap-ins -> Certificates -> My user account

    Trusted Root Certification Authorities -> Certificates -> Right click -> All tasks -> Import -> RootCATest.crl

    I did not manage to bundle it with pvk2pfx but after doing this I could run Verify.