I'm facing problems with CryptoAPI's certificate chain validation, in particular with the revocation check. The problem is that I'm working under Windows CE (with no internet access), and CryptoAPI does not export CRL API's for it.
https://msdn.microsoft.com/en-us/library/ms936955.aspx
I've done some research, and it seems that CertGetCertificateChain() does revocation check, but under the hood.
I have created with OpenSSL self signed Root CA and Intermediate CA (signed with Root CA) and finally I signed a end certificate with Intermediate CA, which contains the extension crlDistributionPoints in which is pointed the Intermediate CA's CRL encoded in PEM format. For brevity, lets name it intermediate.crl.pem.
So, intermediate.crl.pem is persistent on my disk, and in my openssl.cnf I linked it like this:
...
[ extensions_section ]
crlDistributionPoints=//windows//intermediate.crl.pem
...
I'm not sure, that this is correct however, also I'm not sure that CryptoAPI does not expect some different format (for example DER instead of PEM).
And finally the revocation check is not correct. I always get the error that the certificate is revoked no matter whether it is in CRL or not.
Can you give me some guidance here? It is important that intermediate.crl.pem must not be obtained thru the network (it must resist on the filesystem).
Also, I noticed that Windows CE, supports a certificate store called Disallowed which CryptoAPI's chain engine checks during the validation and returns an error (says that the cert is not valid) if the certificate being validated is in there.
Does using this store instead CRL is better approach?
