Hi to all,
I have to check if a certificate have been revoked. Is this check performed automatically by the CertificateChain::VerifyChain method? If not, is there a way to do that by using the security library?
Thanks in advance,
Gabriele

When verifying a certificate, the library calls the CertVerifyCertificateChainPolicy function [http://msdn.microsoft.com/library/en-us/security/security/certverifycertificatechainpolicy.asp] and specifies the CERT_CHAIN_POLICY_SSL policy OID. I looked through the documentation and that didn't specify the exact checks that were being performed, but I do think that the CRL is indeed verified.

There's a specific certificate that we use during the testing of the library that takes over 7 seconds to verify. The only reason I can come up with is that the verification takes so long because the CryptoAPI is connecting to the online CRL server [the other tests should only take a fraction of a second].

Pieter,
what you say can be right, but I tryed to verify a chain while offline (with the network cable unplugged) and the result is CertificateStatus.ValidCertificate and not CertificateStatus.RevocationServerOffline... so I think that the CRL verification is not actually performed.

Thank you for your answer,
Gabriele

I've posted this question on one of Microsofts technical forums. When I get the answer there, I'll post it over here.

I've read the answer on the newsgroup... Now I have to find how to perform the crl checking. I'm trying do do that by using capicom (that's a little simpler than CryptoApi). A question: why don't have you used capicom instead of CryptoApi?

Thanks,
Gabriele

It appears that CRL checking is being done when constructing the certificate chain and not when calling the CertVerifyCertificateChainPolicy method. In the current version of the security library, the CRLs are not verified when building a chain. We'll add support for CRL checking in the next version of the library.