CRL gets cached after we do an Online verification with X509Chain

Hi all,

When we use X509Chain class to verify if our certificate is not revoked, we may experience the following behavior:

1) We do an online verification (X509Chain.ChainPolicy.RevocationMode set to X509RevocationMode.Online) on a valid certificate and it works properly: X509Chain.Build returns true because the certificate is valid.

2) We clean the CRL cache with the following command: certutil -urlcache CRL delete.

3) Now we do an offline verification (X509Chain.ChainPolicy.RevocationMode set to X509RevocationMode.Offline) in the same process, and it doesn't work as we would expect after reading X509RevocationMode.Offline documentation: X509Chain.Build still returns true even if the CRL cache is empty.

4) If we just do an offline verification in a different process after cleaning the cache, the result is what we would expect: X509Chain.Build returns false because the CRL cache is empty.

 

This behavior that we are experiencing is by design. Check the CRL and AIA Caching section in Certificate Revocation and Status Checking:
"
To increase performance, the CryptoAPI caches CRLs and certificates referenced in AIAs. The entries are cached in memory on a per process basis.
"

According to this, the CRL can be cached in various locations:
- Memory
- Local File System.

With certutil we only clean the local file system cache. If it's cached in memory, we need to restart the process.

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)