The revocation function was unable to check revocation for the certificate

c# x509certificate
10,881

Revocation check includes checking certificate status in CRL and use of OCSP for online checking of status. Documentation suggests that .NET checks only CRL, but "Online" probably means that the CRL should be downloaded. In this case your error can mean that the CRL location could not be found (not present in the certificate) or it could not be reached.

First step to take is inspect whether the certificate contains a CRL location. You can see this in certificate properties - there's a CRL Distribution Point extension there.

If CRL location is present and it points to HTTP/HTTPS URL, you can check that URL to see if it's accessible.

Unfortunately while these steps can be automated, they don't cover any source of the problem - the CRL can be malformed or the server could return not a CRL (but an error response, for example) or the signature on the CRL was invalid. So above steps will give you only basic information about the problem.

I don't know if .NET is able to produce more meaningful description of the failure. In our components (SecureBlackbox) we provide more details about failures, and still this question is the one we receive often in technical support despite presence of the extensive FAQ article on this topic.

Share:
10,881

Related videos on Youtube

Fenton
Author by

Fenton

Microsoft MVP (Developer Technologies) Author (Apress) Human Software Punk Full-End Programmer Data Protection Officer

Updated on September 15, 2022

Comments

  • Fenton
    Fenton over 1 year

    I am attempting to validate that a certificate has not been revoked using an X509Chain in C#.

    X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
chain.Build(certificate);

    This returns a status of:

    The revocation function was unable to check revocation for the certificate

    I do want to check for revoked certificates, not just switch off the error.

    How do I resolve this problem or at least get a better idea of the cause (for example, how do I find out where it is checking for a CRL?)

    • Nickolay Olshevsky
      Nickolay Olshevsky over 11 years
      There is a CRL url field in certificate's extensions, check if this URL is accessible, and returns valid CRL.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

X509 Cannot find requested object
Find certificate by thumbprint
Why do I encounter RemoteCertificateNameMismatch every time?
How to get the base 64 encoded value of a certificate with private key?
How do I use SSL certificates with HttpWebRequest in C#?
Signing SOAP messages using X.509 certificate from WCF service to Java webservice
X509 guide/tutorial in C#
Force HttpWebRequest to send client certificate
Get Private Key from BouncyCastle X509 Certificate? C#
Inserting Certificate (with privatekey) in Root, LocalMachine certificate store fails in .NET 4