question

Dietmar-5258 avatar image
0 Votes"
Dietmar-5258 asked MayankBargali-MSFT commented

X509Chain CRL online check in Azure Functions

I'm trying to perform online CRL checking in Azure Functions. The chain builds well, but CRL online checks always fail:

Chain verification status.....: RevocationStatusUnknown
Chain verification result.....: The revocation function was unable to check revocation for the certificate.
Chain verification status.....: OfflineRevocation
Chain verification result.....: The revocation function was unable to check revocation because the revocation server was offline.

The CRL server of the certificate in question is however reachable and the CRL can be downloaded manually from public Internet.


Flags to build the chain:

X509Chain chain = new X509Chain();
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;


Any idea what's wrong?


Thanks,
Dietmar

azure-functions
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dietmar-5258 avatar image
0 Votes"
Dietmar-5258 answered MayankBargali-MSFT commented

@MayankBargali-MSFT Many thanks for looking into this!
I think I finally figured out some minutes ago what the root cause was.

I tried to verify a full chain of certificates, all issued by an Enterprise CA. Root and Intermediate certificates have been added to the ExtraStore, as access to the trusted root store is not possible out of the Azure Function:

chain.ChainPolicy.ExtraStore.Add();

After that I run chain.build(), and got the errors I mentioned in my first post.

What I obviously forgot: The CRL itself is also signed by the Enterprise CA. CryptoAPI has no chance to verify the signature of it, as the root cert is not in the trusted root store.

Solution: Move the entire solution to .Net 5 and use the new features
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
chain.ChainPolicy.CustomTrustStore.Add();

This gives a real (virtual) trusted root store and things are working perfectly.

Thanks again for your help!
Dietmar

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Dietmar-5258 Glad to know that you were able to find the root cause of the issue. Feel free to reach out to us on Microsoft Q&A if you need any assistance in the future.

0 Votes 0 ·
MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered MayankBargali-MSFT edited

@Dietmar-5258 When you use X509RevocationMode.Online, then CryptoAPI will try to reach revocation servers (as specified in CDP and AIA extensions) to retrieve revocation information for every certificate in the chain. If revocation information is not accessible for any certificate, or it is stale, then you will get RevocationOffline error. In such cases, you may need to debug every URL in CDP for every certificate and figure out what is wrong there.

If you running the code from your restricted network then please verify if there is any firewall/networking blocking access to the below URL
crl.microsoft.com TCP 80
mscrl.microsoft.com TCP 80
crl3.digicert.com TCP 80
www.microsoft.com TCP 80

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.