Hi all,

When we use X509Chain class to verify if our certificate is notrevoked, we may experience the following behavior:

1)We do an online verification (X509Chain.ChainPolicy.RevocationMode set to X509RevocationMode.Online) on a valid certificate and it works properly: X509Chain.Buildreturns true because the certificate is valid.

2) We clean the CRL cache with the following command: certutil -urlcache CRL delete.

3) Now we do an offline verification (X509Chain.ChainPolicy.RevocationMode set to X509RevocationMode.Offline) in the same process, and it doesn't work as we would expect after reading X509RevocationMode.Offlinedocumentation: X509Chain.Buildstill returns true even if the CRL cache is empty.

4) If we just do an offline verification in a different process after cleaning the cache, the result is what we would expect: X509Chain.Buildreturns false because the CRL cache is empty.

This behavior that we are experiencing is by design. Check the CRL and AIA Caching section in Certificate Revocation and Status Checking

To increase performance, the CryptoAPI caches CRLs and certificates referenced in AIAs. The entries are cached in memory on a per process basis.

According to this, the CRL can be cached in various locations:
- Memory
- Local File System.

With certutil we only clean the local file system cache. If it's cached in memory, we need to restart the process.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)