C＃验证证书中CRL列表 [英] c# verify certificate in CRL list

问题描述

如何以编程方式检查如果某个证书从其CA CRL列表吊销

How can I programmatically check if a certain certificate is revoked from its CA CRL list?

我这样做：

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
ch.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000);
ch.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
ch.ChainPolicy.VerificationTime = DateTime.Now;
ch.Build(certificate);
foreach (X509ChainStatus s in ch.ChainStatus)
{
    string str = s.Status.ToString();
    Console.WriteLine("str: " + str);
}
X509Store store = new X509Store(StoreName.Disallowed, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
bool isRevoked = store.Certificates.Contains(certificate);
store.Close();
return !isRevoked && certificate.Verify();

和我得到STR：RevokedStatusUnknown。只有当我等待几个小时后，我吊销证书 - >状态返回为撤销，尽管事实上，我立即发布CRL吊销证书后。为什么不即时访问CRL？

And I get "str: RevokedStatusUnknown". Only if I wait many hours after I revoke the certificate -> the status is returned as Revoked, despite the fact that I publish the CRL immediately after revoking the certificate. Why it does not access the CRL instantaneously?

推荐答案

尝试运行以下MS命令。

Try running the following MS command.

   certutil -urlcache * delete

视窗缓存证书吊销状态在一定时间内，用上面的命令将刷新缓存。

Windows caches certificate revocation statuses for a certain period, using the above command will flush the cache.

这篇关于C＃验证证书中CRL列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！