问题
How can I programmatically check if a certain certificate is revoked from its CA CRL list?
I'm doing this:
X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
ch.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000);
ch.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
ch.ChainPolicy.VerificationTime = DateTime.Now;
ch.Build(certificate);
foreach (X509ChainStatus s in ch.ChainStatus)
{
string str = s.Status.ToString();
Console.WriteLine("str: " + str);
}
X509Store store = new X509Store(StoreName.Disallowed, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
bool isRevoked = store.Certificates.Contains(certificate);
store.Close();
return !isRevoked && certificate.Verify();
And I get "str: RevokedStatusUnknown". Only if I wait many hours after I revoke the certificate -> the status is returned as Revoked, despite the fact that I publish the CRL immediately after revoking the certificate. Why it does not access the CRL instantaneously?
回答1:
Try running the following MS command.
certutil -urlcache * delete
Windows caches certificate revocation statuses for a certain period, using the above command will flush the cache.
回答2:
This is almost certainly using the local CRL cache on your machine.
From the command prompt, try clearing the cache first.
certutil -urlcache crl delete
来源:https://stackoverflow.com/questions/2147889/c-sharp-verify-certificate-in-crl-list