Problem: CertVerifyRevocation returns error CRYPT_E_REVOCATION_OFFLINE

May 23, 2021

Problem : CertVerifyRevocation returns error CRYPT_E_REVOCATION_OFFLINE<wbr />

I want to verify the validity of a certificate with CertVerifyRevocation() but for a certain Smart Card with one of our customers it returns CRYPT_E_REVOCATION_OFFLINE. It works with many other Smart Cards and the obvious conclusion is of course that the Revocation store IS offline – but this smart card can be used to login to Windows without any error.

I have successfully created a certificate chain and verified intended key usage and validity time etc.

Solution : CertVerifyRevocation returns error CRYPT_E_REVOCATION_OFFLINE<wbr />

No.. it means there was a problem checking the online CRL or OCSP response.  I would not recommend ignoring it in most cases unless you know the CRL to be offline.  You may consider using SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT  as this will reduce that from the root cert as there is not a CRL that can revoke a root CA, even if one is specified it would be invalid in a technical sense, so it not normally specified.

Read this – it gets relevant after the big code sample box and just ignore that the article has to do with Identrus stuff – they do things a little differently but the code discussion is pretty much universal:
http://msdn.microsoft.com/en-us/library/ms995348.aspx

A little more reference
http://msdn.microsoft.com/en-us/library/aa379810(VS.85).aspx

For error logging, maybe this one could take  a higher debug level to enable logging this error if you get into logging debug stuff that far, but I would not completely ignore it.