[SOLVED] Validating a X509Chain with a revocation policy set to Online against a CRL that has a Next date set to years back fails because of revocation check

Validating a X509Chain with a revocation policy set to Online against a CRL that has a Next date set to years back fails because of revocation check

I have this Chain validation set up:

var chain = new X509Chain();
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
chain.ChainPolicy.CustomTrustStore.Add(_options.CA);
chain.ChainPolicy.CustomTrustStore.Add(_options.Intermediate);

Where i want to call

chain.Build(clientCertificate);

on a client certificate. I need to do this:

chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

To get it to work. I know that the certificates in my custom store is pointing to a valid CRL. I can even download it, but when i download it, I can see that the CRL next date is way in the past (january 2018), which in my mind makes the CRL invalid.

My two questions is:

When i validate a certificate with RevocationMode set to something other than NoCheck and the CRL has a Next date < DateTime.UtcNow (that is: Next date is in the past), will it fail the revocation check on that background?
Does it matter that i use a Custom root store? Or does revocation only work if i use the certificate store in Windows?

I am on .NET 7 (tried the above on both Windows and Linux).

Solution

When i validate a certificate with RevocationMode set to something other than NoCheck and the CRL has a Next date < DateTime.UtcNow (that is: Next date is in the past), will it fail the revocation check on that background?

no. In this case, certificate chaining engine will skip any revocation checking.

Does it matter that i use a Custom root store? Or does revocation only work if i use the certificate store in Windows?

it doesn't matter as long as custom store is trusted by the chaining engine, which is (based on your code).