Partager via


CRL gets cached after we do an Online verification with X509Chain

Hi all,

When we use X509Chain class to verify if our certificate is not revoked, we may experience the following behavior:

1) We do an online verification (X509Chain.ChainPolicy.RevocationMode set to X509RevocationMode.Online) on a valid certificate and it works properly: X509Chain.Build returns true because the certificate is valid.

2) We clean the CRL cache with the following command: certutil -urlcache CRL delete.

3) Now we do an offline verification (X509Chain.ChainPolicy.RevocationMode set to X509RevocationMode.Offline) in the same process, and it doesn't work as we would expect after reading X509RevocationMode.Offline documentation: X509Chain.Build still returns true even if the CRL cache is empty.

4) If we just do an offline verification in a different process after cleaning the cache, the result is what we would expect: X509Chain.Build returns false because the CRL cache is empty.

 

This behavior that we are experiencing is by design. Check the CRL and AIA Caching section in Certificate Revocation and Status Checking:
"
To increase performance, the CryptoAPI caches CRLs and certificates referenced in AIAs. The entries are cached in memory on a per process basis.
"

According to this, the CRL can be cached in various locations:
- Memory
- Local File System.

With certutil we only clean the local file system cache. If it's cached in memory, we need to restart the process.

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)

Comments

  • Anonymous
    February 08, 2009
    That was what I needed! Thanks!
  • Anonymous
    February 19, 2010
    Thank you for clarifying about having the revocations cached in memory. This issue has blown my Clean Access system out of the water regularly every three months or so. This was a big help.