Certificate Revocation Check for D17

[Salike Hassan]

Hi,
How to implement the certification revocation check, I tries to implement the feature using below code but its not working always returning false for the D17

var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000);
chain.ChainPolicy.VerificationTime = DateTime.Now;
var elementValid = chain.Build (x509certificate);

Best Regards,
Salike Hassan

[Joe Shook]

Seems you are using C#.

Using only the .net API's you will have to add the partner anchor to one of your trusted certificate stores in Windows.

I discussed it here: http://wiki.directproject.org/Enable+CRL+support.  Long story short the APIs you are calling involve Windows security and it does not trust the partner anchor enough to call out to the CRL URL. 

If you are running Window 2012 R2 or newer you can look at the .NET RI recent changes that involve calling native methods from crypt32.dll and kernel32.dll.  

--
You received this message because you are subscribed to the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this group and stop receiving emails from it, send an email to directtesttool+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/directtesttool.
To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/556766a3-916c-481f-91b7-41af57c068c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Salike Hassan]

Hello Joe,

Yes I was missing the cert setup, now it's working fine.

--
You received this message because you are subscribed to a topic in the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/directtesttool/MltrRKFabW8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to directtesttool+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/directtesttool.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABnjC%3DshBCGEZu5dBWks5eZ8DZjLvTeTwxD1vbprr36%2BdjF1JQ%40mail.gmail.com.

[Salike Hassan]

Hello Joe,

Thanks alot for your response,  yes I was missing the cert setup, now its working fine.

Can you please clarify, for the D5 discovery, is the system requires not to select any certificate.

Best Regards,

On Sat, Sep 30, 2017 at 2:54 AM, Joe Shook <joes...@gmail.com> wrote:

--
You received this message because you are subscribed to a topic in the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/directtesttool/MltrRKFabW8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to directtesttool+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/directtesttool.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABnjC%3DshBCGEZu5dBWks5eZ8DZjLvTeTwxD1vbprr36%2BdjF1JQ%40mail.gmail.com.

[Salike Hassan]

Hello Joe,

Thanks alot for your response,  yes I was missing the cert setup, now its working fine.

Can you please clarify, for the D5 discovery, is the system requires not to select any certificate?

Best Regards,

Salike Hassan

On Sat, Sep 30, 2017 at 2:54 AM, Joe Shook <joes...@gmail.com> wrote:

--
You received this message because you are subscribed to a topic in the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/directtesttool/MltrRKFabW8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to directtesttool+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/directtesttool.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABnjC%3DshBCGEZu5dBWks5eZ8DZjLvTeTwxD1vbprr36%2BdjF1JQ%40mail.gmail.com.

[Joe Shook]

I can see why you might be confused on this test.  It appears description is a bit confusing.  But yes your code will discover an address certificate.  But the certificate will be invalid and you should not send a message.  I notice there are also two domain certificates.  The test is trying to prove that you do not fail over to a good domain certificate and still send the message.

The diagram on this page can be very helpful:  https://oncprojectracking.healthit.gov/wiki/display/DCDT/Direct+Certificate+Discovery+Background

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CAOSPGt27qBRX_X1NpYGrHtCdygUTTwO7GDZhkE%2ByR4W18HOq1A%40mail.gmail.com.

[Salike Hassan]

Thanks alot Joe, now this test case is working as per the expectation.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABnjC%3Dv%2BhiUi5jY5H5iZcT%3DjDJV2fyC1d%3DsBvO5A3-wp6zSdHA%40mail.gmail.com.