@MayankBargali-MSFT Many thanks for looking into this!
I think I finally figured out some minutes ago what the root cause was.
I tried to verify a full chain of certificates, all issued by an Enterprise CA. Root and Intermediate certificates have been added to the ExtraStore, as access to the trusted root store is not possible out of the Azure Function:
chain.ChainPolicy.ExtraStore.Add();
After that I run chain.build(), and got the errors I mentioned in my first post.
What I obviously forgot: The CRL itself is also signed by the Enterprise CA. CryptoAPI has no chance to verify the signature of it, as the root cert is not in the trusted root store.
Solution: Move the entire solution to .Net 5 and use the new features
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
chain.ChainPolicy.CustomTrustStore.Add();
This gives a real (virtual) trusted root store and things are working perfectly.
Thanks again for your help!
Dietmar