CertVerifyRevocation returns error CRYPT_E_REVOCATION_OFFLINE

Posted on 2009-02-23
Last Modified: 2012-05-06
I want to verify the validity of a certificate with CertVerifyRevocation() but for a certain Smart Card with one of our customers it returns CRYPT_E_REVOCATION_OFFLINE. It works with many other Smart Cards and the obvious conclusion is of course that the Revocation store IS offline - but this smart card can be used to login to Windows without any error.

I have successfully created a certificate chain and verified intended key usage and validity time etc.
Question by:OleSetnes
    LVL 31

    Expert Comment

    When the CRL is offline, you can still use a smartcard to login to windows using cached credentials.  There are stipulations to this, but that's typicaly behavior - mainly in place for laptops.

    - You cannot log in the first time if the CRL is offline and has never been accessed to be cached.

    - The number of cached logons is 10 by default.  This number represents the number of user accounts used to log in - i.e. if you have 11 users using the same computer - after having all 11 log on successfully and then unplug the network connection only the last 10 in the sequence will be validated.  Note that different username formats count extra in this ( is one, domain\user is another, even if for same end user).

    If there is more to the story I may be able to explain that behavior as well.

    Author Comment

    Does the error message CRYPT_E_REVOCATION_OFFLINE mean that the certificate was successfully validated against the cache CRL but the revocation server was off line?

    If yes, could/should I ignore the error message?
    LVL 31

    Accepted Solution

    No.. it means there was a problem checking the online CRL or OCSP response.  I would not recommend ignoring it in most cases unless you know the CRL to be offline.  You may consider using SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT  as this will reduce that from the root cert as there is not a CRL that can revoke a root CA, even if one is specified it would be invalid in a technical sense, so it not normally specified.

    Read this - it gets relevant after the big code sample box and just ignore that the article has to do with Identrus stuff - they do things a little differently but the code discussion is pretty much universal:

    A little more reference

    For error logging, maybe this one could take  a higher debug level to enable logging this error if you get into logging debug stuff that far, but I would not completely ignore it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    #SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA.…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now