Asp.net core Client certificate authentication middleware failing on X509Chain build

Question

We have a custom middleware in a ASP.NET core 2.1 application that verifies the validity of a client certificate. The cert is not self signed and is a signed by a trusted CA. The application is hosted in Azure app service. We get this the following response from the chainstatus. What could be the issue?

"The revocation function was unable to check revocation for the certificate,The revocation function was unable to check revocation because the revocation server was offline".

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
var verified = ch.Build(x509Certificate2);

when we change RevocationMode to online it works for the most part but in some cases we get the same chainstatus "The revocation function was unable to check revocation for the certificate,The revocation function was unable to check revocation because the revocation server was offline".

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
var verified = ch.Build(x509Certificate2);

Answer 1

When you use X509RevocationMode.Offline , then validation will most likely fail, because CryptoAPI will look only for locally cached revocation information, which is unlikely exist on server.

When you use X509RevocationMode.Online , then CryptoAPI will try to reach revocation servers (as specified in CDP and AIA extensions) to retrieve revocation information for every certificate in the chain. If revocation information is not accessible for any certificate, or it is stale, then you will get RevocationOffline error. In such cases, you may need to debug every URL in CDP and AIA extension for every certificate and figure out what is wrong there.

In addition, RevocationOffline error is raised when URL is accessible, but the timeout for URL is expired.