Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2573
  • Last Modified:

CertVerifyRevocation returns error CRYPT_E_REVOCATION_OFFLINE

I want to verify the validity of a certificate with CertVerifyRevocation() but for a certain Smart Card with one of our customers it returns CRYPT_E_REVOCATION_OFFLINE. It works with many other Smart Cards and the obvious conclusion is of course that the Revocation store IS offline - but this smart card can be used to login to Windows without any error.

I have successfully created a certificate chain and verified intended key usage and validity time etc.
0
OleSetnes
Asked:
OleSetnes
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
When the CRL is offline, you can still use a smartcard to login to windows using cached credentials.  There are stipulations to this, but that's typicaly behavior - mainly in place for laptops.

- You cannot log in the first time if the CRL is offline and has never been accessed to be cached.

- The number of cached logons is 10 by default.  This number represents the number of user accounts used to log in - i.e. if you have 11 users using the same computer - after having all 11 log on successfully and then unplug the network connection only the last 10 in the sequence will be validated.  Note that different username formats count extra in this (user@domain.com is one, domain\user is another, even if for same end user).



If there is more to the story I may be able to explain that behavior as well.
0
 
OleSetnesAuthor Commented:
Does the error message CRYPT_E_REVOCATION_OFFLINE mean that the certificate was successfully validated against the cache CRL but the revocation server was off line?

If yes, could/should I ignore the error message?
0
 
ParanormasticCryptographic EngineerCommented:
No.. it means there was a problem checking the online CRL or OCSP response.  I would not recommend ignoring it in most cases unless you know the CRL to be offline.  You may consider using SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT  as this will reduce that from the root cert as there is not a CRL that can revoke a root CA, even if one is specified it would be invalid in a technical sense, so it not normally specified.

Read this - it gets relevant after the big code sample box and just ignore that the article has to do with Identrus stuff - they do things a little differently but the code discussion is pretty much universal:
http://msdn.microsoft.com/en-us/library/ms995348.aspx

A little more reference
http://msdn.microsoft.com/en-us/library/aa379810(VS.85).aspx

For error logging, maybe this one could take  a higher debug level to enable logging this error if you get into logging debug stuff that far, but I would not completely ignore it.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now