certificate validation keeps failing because crls are not found in docker

Question

I have a few self-signed certificates that are accompanied with crl files. In my docker file I copy those certificates like this:

COPY Certificates /usr/local/share/ca-certificates/
RUN update-ca-certificates

The base image is for now still the SDK, but it has to be the asp.net runtime eventually. I use the SDK for now because I use powershell in the container which I am working on removing but it starts the webapi server and the code that causes the issues when the certificates are validated.

# Use the .NET runtime image as the base image
FROM mcr.microsoft.com/dotnet/sdk:8.0
#FROM mcr.microsoft.com/dotnet/aspnet:8.0

Note the certificates are not used for HTTPS but for digital signing & verification. I am using HTTP to communicate to the webapi.

The problem is that there are also crl files, and I am at a loss where I am supposed to put them. I placed them in /etc/ssl/crl. I verified that both the certificates and the crl files are valid using open SSL. They are fine.

But when I run the webapi I keep getting errors that the crl files are not found, but when I modify the code to skip the online verification of the crl's the application works as expected.

When I add some traces to the code I get following error messages:

StatusInformation unable to get certificate CRL
RevocationStatusUnknown
unable to get certificate CRL
OfflineRevocation
unable to get certificate CRL

The code for the validation is like this:

X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationMode = X509RevocationMode.Online;
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.VerificationTime = DateTime.Now;
policy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);

X509Chain chain = new X509Chain();
chain.ChainPolicy = policy;

string policyInfo = string.Empty;
if (chain.ChainPolicy != null)
{
    policyInfo = "RevocationMode: " + chain.ChainPolicy.RevocationMode + ", RevocationFlag: " + chain.ChainPolicy.RevocationFlag + ", VerificationFlags: " + chain.ChainPolicy.VerificationFlags;
}

//ignore crl's
Console.WriteLine("NOT ignoring revocation lists");
//chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

var result = chain.Build(certificate);
if (!result)
{
    string chainErrors = string.Empty;
    if (chain.ChainStatus != null)
    {
        foreach (X509ChainStatus status in chain.ChainStatus)
        {
            if (!string.IsNullOrEmpty(chainErrors))
            {
                chainErrors += "\r\n";
            }
            chainErrors += status.Status.ToString() + ": " + status.StatusInformation;
        }
    }
    CertificateValidationFailedEvent.Log(certificate.Subject, policyInfo, chainErrors);
}
else
{
    CertificateValidatedEvent.Log(certificate.Subject, policyInfo);
}

So everything just seems to indicate the .NET code does not find the CRL files, but the certificates are found. I even tried embedding them in the certificate files themselves but that did not work either. If I change the code to ignore the revocation lists, then the code works. So it seems I am missing some configuration detail.

Anyone know where to put them? Can anyone tell me what I am doing wrong.