X509Chain CRL online check in Azure Functions

Dietmar 111 Reputation points
2021-04-19T12:07:14.137+00:00

I'm trying to perform online CRL checking in Azure Functions. The chain builds well, but CRL online checks always fail:

Chain verification status.....: RevocationStatusUnknown
Chain verification result.....: The revocation function was unable to check revocation for the certificate.
Chain verification status.....: OfflineRevocation
Chain verification result.....: The revocation function was unable to check revocation because the revocation server was offline.

The CRL server of the certificate in question is however reachable and the CRL can be downloaded manually from public Internet.

Flags to build the chain:

X509Chain chain = new X509Chain();
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;

Any idea what's wrong?

Thanks,
Dietmar

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,323 questions
0 comments
Accepted answer
  1. Dietmar 111 Reputation points
    2021-04-20T05:26:10.153+00:00

    @MayankBargali-MSFT Many thanks for looking into this!
    I think I finally figured out some minutes ago what the root cause was.

    I tried to verify a full chain of certificates, all issued by an Enterprise CA. Root and Intermediate certificates have been added to the ExtraStore, as access to the trusted root store is not possible out of the Azure Function:

    chain.ChainPolicy.ExtraStore.Add();

    After that I run chain.build(), and got the errors I mentioned in my first post.

    What I obviously forgot: The CRL itself is also signed by the Enterprise CA. CryptoAPI has no chance to verify the signature of it, as the root cert is not in the trusted root store.

    Solution: Move the entire solution to .Net 5 and use the new features
    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
    chain.ChainPolicy.CustomTrustStore.Add();

    This gives a real (virtual) trusted root store and things are working perfectly.

    Thanks again for your help!
    Dietmar

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MayankBargali-MSFT 68,656 Reputation points
    2021-04-20T03:21:51.99+00:00

    @Dietmar When you use X509RevocationMode.Online, then CryptoAPI will try to reach revocation servers (as specified in CDP and AIA extensions) to retrieve revocation information for every certificate in the chain. If revocation information is not accessible for any certificate, or it is stale, then you will get RevocationOffline error. In such cases, you may need to debug every URL in CDP for every certificate and figure out what is wrong there.

    If you running the code from your restricted network then please verify if there is any firewall/networking blocking access to the below URL
    crl.microsoft.com TCP 80
    mscrl.microsoft.com TCP 80
    crl3.digicert.com TCP 80
    www.microsoft.com TCP 80

    0 comments