Find out if X509Certificate2 is revoked?

Question

How can I figure out if an X509Certificate2 has been revoked? I assume the Verify() method checks it, but it doesn't explicitly state it in the help. Does anybody know?

Also: does the Verify() check if the certificate is expired?

m0sa · Accepted Answer · 2013-10-08T18:54:44.923

14

Have you tried using the X509Chain?

var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000);
chain.ChainPolicy.VerificationTime = DateTime.Now;
var elementValid = chain.Build (x509certificate);

edited Oct 08 '13 at 18:54

answered Feb 28 '11 at 21:52

m0sa

10,712
4
44
91

I will. Still I'm unclear what the Verify() is doing? Why is it not documented? – Krumelur Mar 01 '11 at 07:43
Teh documentation for Verify says: "Performs a X.509 chain validation using basic validation policy". You can specify your own validation policy by setting the ChainPolicy when verifying using X509Chain. – m0sa Mar 01 '11 at 09:03
3

Yeah, but what IS a "basic validation policy"? Does it include revocation check or not, for instance? – Krumelur Mar 01 '11 at 09:35
I would say the default settings of the X509Chain.ChainPolicy – m0sa Mar 01 '11 at 09:38
Can you please give details on `X509RevocationMode.Online;` Does it required internet connectivity? – PawanS Apr 22 '13 at 14:32
Shouldn't `Build()` be called **after** the chain policy setup? – Gabriel S. Oct 08 '13 at 12:30
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chain.build.aspx – m0sa Oct 08 '13 at 12:48
3

I think it would be better to rely instead on the `boolean` returned by the `Build()` method when validating the whole chain. This way, you can even customize the validation with the `X509ChainPolicy.VerificationFlags` property as described [here](http://blogs.msdn.com/b/alejacma/archive/2011/06/21/how-to-verify-validity-of-certificates-with-net.aspx) (it's illustrated for VB but it's equally valid for C# as well). – Gabriel S. Oct 08 '13 at 13:09
@GabrielS.'s link is dead, https://web.archive.org/web/20150214092703/http://blogs.msdn.com/b/alejacma/archive/2011/06/21/how-to-verify-validity-of-certificates-with-net.aspx – Mark Lopez Mar 14 '22 at 22:07

Find out if X509Certificate2 is revoked?

1 Answers1

Linked