I have a few self-signed certificates that are accompanied with crl files. In my docker file I copy those certificates like this:
COPY Certificates /usr/local/share/ca-certificates/
RUN update-ca-certificates
The base image is for now still the SDK, but it has to be the asp.net runtime eventually. I use the SDK for now because I use powershell in the container which I am working on removing but it starts the webapi server and the code that causes the issues when the certificates are validated.
# Use the .NET runtime image as the base image
FROM mcr.microsoft.com/dotnet/sdk:8.0
#FROM mcr.microsoft.com/dotnet/aspnet:8.0
Note the certificates are not used for HTTPS but for digital signing & verification. I am using HTTP to communicate to the webapi.
The problem is that there are also crl files, and I am at a loss where I am supposed to put them.
I placed them in /etc/ssl/crl
.
I verified that both the certificates and the crl files are valid using open SSL. They are fine.
But when I run the webapi I keep getting errors that the crl files are not found, but when I modify the code to skip the online verification of the crl's the application works as expected.
When I add some traces to the code I get following error messages:
StatusInformation unable to get certificate CRL
RevocationStatusUnknown
unable to get certificate CRL
OfflineRevocation
unable to get certificate CRL
The code for the validation is like this:
X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationMode = X509RevocationMode.Online;
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.VerificationTime = DateTime.Now;
policy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
X509Chain chain = new X509Chain();
chain.ChainPolicy = policy;
string policyInfo = string.Empty;
if (chain.ChainPolicy != null)
{
policyInfo = "RevocationMode: " + chain.ChainPolicy.RevocationMode + ", RevocationFlag: " + chain.ChainPolicy.RevocationFlag + ", VerificationFlags: " + chain.ChainPolicy.VerificationFlags;
}
//ignore crl's
Console.WriteLine("NOT ignoring revocation lists");
//chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
var result = chain.Build(certificate);
if (!result)
{
string chainErrors = string.Empty;
if (chain.ChainStatus != null)
{
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (!string.IsNullOrEmpty(chainErrors))
{
chainErrors += "\r\n";
}
chainErrors += status.Status.ToString() + ": " + status.StatusInformation;
}
}
CertificateValidationFailedEvent.Log(certificate.Subject, policyInfo, chainErrors);
}
else
{
CertificateValidatedEvent.Log(certificate.Subject, policyInfo);
}
So everything just seems to indicate the .NET code does not find the CRL files, but the certificates are found. I even tried embedding them in the certificate files themselves but that did not work either. If I change the code to ignore the revocation lists, then the code works. So it seems I am missing some configuration detail.
Anyone know where to put them? Can anyone tell me what I am doing wrong.