

我正在尝试使用 HttpClientHandler.ServerCertificateCustomValidationCallback 验证客户端证书.我已经使用 ChainPolicy 参数构建了 x509chain .

I am trying to validate a client certificate using HttpClientHandler.ServerCertificateCustomValidationCallback. I have built my x509chain with my ChainPolicy parameters.


I have locally my CRL (.pem) file and i would like to add it to the revocation process.

我正在考虑做 CRL验证,将一个带有distributionPoint oid的 X509Extension 导入到我的 X509Certificate 中,但是我很难理解它.

I was thinking of doing something like CRL validation, importing into my X509Certificate an X509Extension with a distributionPoint oid but i have trouble understanding it.


Here is a piece of my callback code

private static Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool>
    return (sender, cert, chain, sslPolicyErrors) =>
        X509Certificate2 ca = new X509Certificate2(@"pathToCa\\ca.crt");

        X509Chain chai = new X509Chain();
        chai.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
        chai.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        chai.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
        chai.ChainPolicy.VerificationTime = DateTime.Now;
            if (!chai.Build(cert))
                return false;
            foreach (X509ChainStatus status in chai.ChainStatus)
                if (status.Status == X509ChainStatusFlags.UntrustedRoot) continue;
                if (status.Status == X509ChainStatusFlags.OfflineRevocation) continue;
                if (status.Status == X509ChainStatusFlags.RevocationStatusUnknown) continue;
                return false;

        catch (Exception e)
            throw e;

        return true;


Thank for your help & clarification



If you want to host your own CRL, you will need server set up somewhere, so it can host your crl just like an html page.

例如,如果您使用openSSL或最好使用 LibreSSL 创建自己的证书,请在配置文件中添加以下内容:

So, for example, if you using openSSL or preferably LibreSSL to create your own certs, in your config file, you will add the following:

crlDistributionPoints  = URI:http://myserver.com/mycert.crl
nsCaRevocationUrl =  http://myserver.com/mycert.crl


(You could try using absolute paths to the keys above, but I am not sure that would work, if it does let me know)

有一些教程可以帮助您进行此设置, https://jamielinux.com/docs/openssl-certificate-authority/非常好且详细.

There are several tutorials to help get this set up, https://jamielinux.com/docs/openssl-certificate-authority/ is pretty good and detailed.


While doing this myself, I found that when you call build chain, the .Net framework checks the chain, so you should not need to add and extra code to insure that it checks the CRL as this happens automatically. (You can check that the crl is being fetched by checking your server log files)


You can test this by adding your own cert to your CRL, and you should find that you get




06-29 10:37