撤销功能无法检查证书的撤销 [英] The revocation function was unable to check revocation for the certificate

问题描述

我试图验证证书尚未在C＃中使用X509Chain撤销。

I am attempting to validate that a certificate has not been revoked using an X509Chain in C#.

X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
chain.Build(certificate);

这会返回一个状态：

吊销功能无法检查吊销证书

The revocation function was unable to check revocation for the certificate

我要检查吊销证书，不只是关掉错误。

I do want to check for revoked certificates, not just switch off the error.

我该如何解决这个问题，或者至少让事业有更好的了解（例如，我怎么找出它检查一个CRL？）

How do I resolve this problem or at least get a better idea of the cause (for example, how do I find out where it is checking for a CRL?)

推荐答案

吊销检查包括检查在CRL和使用OCSP证书状态的在线状态检测。文件表明，.NET只检查CRL，但在线可能意味着CRL应下载。在这种情况下，您的错误可能意味着CRL位置找不到（在证书中不存在），也可能无法达成。

Revocation check includes checking certificate status in CRL and use of OCSP for online checking of status. Documentation suggests that .NET checks only CRL, but "Online" probably means that the CRL should be downloaded. In this case your error can mean that the CRL location could not be found (not present in the certificate) or it could not be reached.

第一步采取的是检查证书是否包含CRL位置。您可以在证书属性看到这 - 有一个CRL分发点扩展那里。

First step to take is inspect whether the certificate contains a CRL location. You can see this in certificate properties - there's a CRL Distribution Point extension there.

如果CRL的位置是存在的，它指出HTTP / HTTPS URL，可以检查URL来看看它的访问。

If CRL location is present and it points to HTTP/HTTPS URL, you can check that URL to see if it's accessible.

不幸的是，同时这些步骤可以自动进行，它们不覆盖问题的任何来源 - CRL中可以是不正确或服务器可以返回不是CRL（但一个错误响应，例如）或在CRL的签名是无效的。因此，上述步骤将只提供有关该问题的基本信息。

Unfortunately while these steps can be automated, they don't cover any source of the problem - the CRL can be malformed or the server could return not a CRL (but an error response, for example) or the signature on the CRL was invalid. So above steps will give you only basic information about the problem.

我不知道是否.NET能够产生故障的更有意义的说明。在我们的组件（SecureBlackbox），我们提供更多的细节有关的失败，依然这个问题，我们的技术支持，尽管关于这一主题的大量常见问题的文章存在经常收到之一。

I don't know if .NET is able to produce more meaningful description of the failure. In our components (SecureBlackbox) we provide more details about failures, and still this question is the one we receive often in technical support despite presence of the extensive FAQ article on this topic.

这篇关于撤销功能无法检查证书的撤销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！