none
CheckX509RevocationMode check certificate revocation status against an offline CRL C# .NET 4.5 RRS feed

  • Question

  • Hello everybody
     

    I have a Project where I have to create a digital signature verification component  in C# .NET.

     

    Because of the internet connection, I must to Offline CRL. So, I need to retrieve each certificate in a loop to check its certicate revocation status against an offline CRL that was previously stored in a server.

    So, Im using this:

     

    X509Chain ch = new X509Chain(); ch.Build (certificate); Console.WriteLine ("Chain Information"); ch.ChainPolicy.RevocationMode = X509RevocationMode.Online; Console.WriteLine ("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag); Console.WriteLine ("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode); Console.WriteLine ("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags); Console.WriteLine ("Chain verification time: {0}", ch.ChainPolicy.VerificationTime); Console.WriteLine ("Chain status length: {0}", ch.ChainStatus.Length); Console.WriteLine ("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count); Console.WriteLine ("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);

    if (chain.ChainStatus.Length != 0)

    Console.WriteLine(chain.ChainStatus[0].Status);

    Could some one please let me know how to use X509Chain object for offline CRL verification?

    Thanks in advance,

    Ivo

    Tuesday, January 6, 2015 10:45 PM

Answers

  • Hello Ivo,

    >> Could someone please let me know how to use X509Chain object for offline CRL verification?

    As you can see, the X509RevocationMode Enumeration contains three items, in your case, you could set it to be Offline as:

    ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;

    Then it would check the certificate revocation list cached in your local machine instead of connecting to the server. For details, you could check this blog:

    http://blogs.msdn.com/b/alejacma/archive/2009/01/30/crl-gets-cached-after-we-do-an-online-verification-with-x509chain.aspx

    However, this might be risky because cached entries sometimes might not match entries released by the CA.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, January 7, 2015 6:05 AM
    Moderator