1

I have a certificate that does not have an OSCP responder URL and it has 3 CRL endpoints configured. The first url only works from within my corporate network, the second and third can be accessed from outside.

The issue is when I do a chain.Build() on my certificate on a .net core 3.1 service, running on an Alpine base image in AKS cluster, it returns false with the chain element's status as "Unable to get certificate CRL". Since, my pods are not on corpNet anyway, I would expect the chain.Build() to somehow do a round-robin on the endpoints but I am not sure how it actually works.

Is there a way we can hit the other endpoints and get the CRLS?

Jim
  • 355
  • 7
  • 20

1 Answers1

2

No, the Linux implementation of X509Chain only tries the first HTTP endpoint for a CRL distribution point.

https://github.com/dotnet/runtime/blob/a24db1ceb73e436eab32da43ae069832a04ce3dd/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/CrlCache.cs#L48-L68

bartonjs
  • 30,352
  • 2
  • 71
  • 111
  • Thank you @bartonjs, I am wondering what is the right way to implement the check then? Or should I stop checking the CRL? – Jim Sep 02 '20 at 19:41
  • @Jim If you control the CA, removing the internal-only URL would help. If not, your next best bet is to open an issue at https://github.com/dotnet/runtime/issues to get this changed in a future version of .NET. – bartonjs Sep 03 '20 at 16:26
  • For those using k8s, who can't get the CA cert edited, a sidecar proxy worked for me: https://stackoverflow.com/a/70148391 – user326608 Nov 28 '21 at 23:37