I am currently having an issue with some programmatically self signed certificates that I have added distribution points to. Basically the key issue is that for some reason, the certificates that I have generated programmatically using Bouncy Castleand they are unable to access the CRL specified in the certificate. See below for a sample output from certutil;
I've been tearing my hair out as to why this issue is occurring and so to at least rule out the generated certs as the issue, I then went and generated a similar certificate structure using open ssl. To my dismay, the client certificate in that instance was able to connect to the listed CRL without an issue.
I can include the code i'm using to generate the Root and Client certificates if it will help, and can also supply more of the certutil outputif it will help track down the issue.
Many thanks,
>CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=1000040
Issuer: CN=MyNewCA
NotBefore: 1/17/2016 3:10 AM
NotAfter: 1/17/2018 3:10 AM
Subject: CN=Test.User
Serial: 855daec11dd981ae87c379dadd323b
2adc3620f29e8347ec7f007bee3b05a98a3ed49a
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Certificate AIA
No URLs "None" Time: 0
Certificate CDP
Wrong Issuer "Base CRL (01)" Time: 0
[0.0] http://localhost/MyURL/RootRevocation2.crl
>Certificate OCSP
No URLs "None" Time: 0
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
>CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
Issuer: CN=MyNewCA
NotBefore: 1/17/2016 3:10 AM
NotAfter: 1/17/2026 3:10 AM
Subject: CN=MyNewCA
Serial: e4fcfcad23d16adef6f06bcacc5041
9e500eac5e7a8b5545c92c8a27f1a96a0d223384
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
EDIT: Off the back of CryptoGuys comment I decided to dig a little deeper into my certificate generation code to ensure that the signing was working as expected and I did indeed find an issue with the code. For anyone looking to do a similar task - here is the link to a post I based my Bouncy Castle CRL generation on and this helped me fix the logic flaw I was having; Create CRL file with Bouncy Castle c# The Bouncy Castle CRL Help file is located here; http://www.bouncycastle.org/wiki/display/JA1/X.509+Certificate+Revocation+Lists
Thankyou for your help
