none
How to trigger download of Client revocation lists (CRL) for all the signed assemblies forcefully? RRS feed

  • Question

  • We observed that while starting a .NET application, the .NET Framework will attempt to download the Certificate Revocation List (CRL) for any signed assembly. Due to this, if the system does not have Internet access, we faced a delay while starting up. I know there are ways to disable CRL download but we don't want that because of security reasons. 

    So is there a way to problematically download CRLs of all the signed assembly. 
    Thursday, January 17, 2019 12:20 PM

All replies

  • I think the by default CRL would be cached for 1 week.

    Maybe you can try create a hidden switch that will create an object from each of such assembly then silently exit, then create schedule task that runs "certutil -setreg chain\ChainCacheResyncFiletime @now" and then your program with hidden switch to trigger validation.

    Not tried this before, and my current environment does not allow me to verify this (I'm writing Java and PHP recently so I don't have toolchain handy), so you'll have to try it yourself and see if it works for you.

    Btw, you shouldn't use "strong name" as security measure, because even myself have access to a few keys used to sign open source projects. That's why they introduced config settings to bypass CRL check for fulltrust assemblies.
    Friday, January 18, 2019 2:58 AM
    Answerer
  • Hi Deep_1987,

    Thank you for posting here.

    For your question, you could try to load Microsoft Certificate Revocation lists manually.

    Please refer to the link below.

    https://marcellotonarelli.wordpress.com/2011/08/17/manually-load-microsoft-certificate-revocation-lists-2/

    Best Regards,

    Wendy

    Note: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you.
    Microsoft does not control these sites and has not tested any software or information found on these sites; Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Friday, January 18, 2019 3:33 AM
    Moderator
  • Just want to clarify that the 2 CRL links in the post are for CRL of Microsoft domain only. You'll need to download CRL for each of your signed assembly for this to work.
    Friday, January 18, 2019 4:02 AM
    Answerer