I have a few selfsigned certificates that are accomponied with crl files.
In my docker file i copy those certificates like this :

COPY Certificates /usr/local/share/ca-certificates/
RUN update-ca-certificates

This last command simply creates symbolic links to the certificates. As this seems to be proves by doing this

root@hask8s:/etc/ssl/certs# ls -l chi*


lrwxrwxrwx 1 root root 51 Jul  5 11:36 chipsoft-im-ca.pem -> /usr/local/share/ca-certificates/chipsoft-im-ca.crt
lrwxrwxrwx 1 root root 52 Jul  5 11:36 chipsoft-im-dev.pem -> /usr/local/share/ca-certificates/chipsoft-im-dev.crt
lrwxrwxrwx 1 root root 55 Jul  5 11:36 chipsoft-im-mobile.pem -> /usr/local/share/ca-certificates/chipsoft-im-mobile.crt
lrwxrwxrwx 1 root root 47 Jul  5 11:36 chipsoftCA.pem -> /usr/local/share/ca-certificates/chipsoftCA.crt

The base image is for now still the SDK, but it has to be the asp.net runtime eventually , is use the sdk for now because i use powershell in the container which I am working on removing but it starts the webapi server.

# Use the .NET runtime image as the base image
FROM mcr.microsoft.com/dotnet/sdk:8.0
#FROM mcr.microsoft.com/dotnet/aspnet:8.0

Note the certificates are not used for SSL but for signing.

The problem is that there are also crl files, and I am at a loss where i am supposed to put them.
I placed them in /etc/ssl/crl
I verified that both the certificates and the crl files are valid using open SSL. They are fine.

But when i run the webapi i keep getting errors that the crl files are not found, but when i modify the code to skip the online verification of the crl’s the application works as expected.

When I add some traces to the code I get following error messages :

StatusInformation unable to get certificate CRL
RevocationStatusUnknown
unable to get certificate CRL
OfflineRevocation
unable to get certificate CRL

The code for the validation is like this :

X509Chain chain = new X509Chain();
chain.ChainPolicy = policy;

string policyInfo = string.Empty;
if (chain.ChainPolicy != null)
{
    policyInfo = "RevocationMode: " + chain.ChainPolicy.RevocationMode + ", RevocationFlag: " + chain.ChainPolicy.RevocationFlag + ", VerificationFlags: " + chain.ChainPolicy.VerificationFlags;
}

//ignore crl's
Console.WriteLine("NOT ignoring revocation lists");
//chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

var result = chain.Build(certificate);
if (!result)
{
    string chainErrors = string.Empty;
    if (chain.ChainStatus != null)
    {
        foreach (X509ChainStatus status in chain.ChainStatus)
        {
            if (!string.IsNullOrEmpty(chainErrors))
            {
                chainErrors += "rn";
            }
            chainErrors += status.Status.ToString() + ": " + status.StatusInformation;
        }
    }
    CertificateValidationFailedEvent.Log(certificate.Subject, policyInfo, chainErrors);
}
else
{
    CertificateValidatedEvent.Log(certificate.Subject, policyInfo);
}

The slimmed down traces I mentioned are just created by adding some code like this :

Console.WriteLine("<begin>");
int i = 0;
foreach (X509ChainElement element in chain.ChainElements)
{
    i++;
    Console.WriteLine($"{i})");
    Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
    Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
    Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
    Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
    foreach (var status in element.ChainElementStatus)
    {
        Console.WriteLine($"  StatusInformation {status.StatusInformation}");
    }
    Console.WriteLine("Element information: {0}", element.Information);
    Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);

    if (chain.ChainStatus.Length > 1)
    {
        for (int index = 0; index < element.ChainElementStatus.Length; index++)
        {
            Console.WriteLine(element.ChainElementStatus[index].Status);
            Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
        }
    }
    Console.WriteLine($"-----------");
}

Console.WriteLine("<end>");

The complete traces are like this :

<begin>
1)
Element issuer name: CN=ChipSoft Developers
Element certificate valid until: 26-05-2033 07:48:13
Element certificate is valid: False
Element error status length: 2
  StatusInformation unable to get certificate CRL
  StatusInformation unable to get certificate CRL
Element information:
Number of element extensions: 5

RevocationStatusUnknown
unable to get certificate CRL
OfflineRevocation
unable to get certificate CRL
-----------
2)
Element issuer name: CN=ChipSoft HiX Application Services Trusted Parties
Element certificate valid until: 26-05-2033 07:46:16
Element certificate is valid: False
Element error status length: 2
  StatusInformation unable to get certificate CRL
  StatusInformation unable to get certificate CRL
Element information:
Number of element extensions: 4

RevocationStatusUnknown
unable to get certificate CRL
OfflineRevocation
unable to get certificate CRL
-----------
3)
Element issuer name: CN=ChipSoft HiX Application Services Root CA
Element certificate valid until: 18-06-2033 12:01:46
Element certificate is valid: False
Element error status length: 2
  StatusInformation unable to get certificate CRL
  StatusInformation unable to get certificate CRL
Element information:
Number of element extensions: 4

RevocationStatusUnknown
unable to get certificate CRL
OfflineRevocation
unable to get certificate CRL
-----------
4)
Element issuer name: CN=ChipSoft HiX Application Services Root CA
Element certificate valid until: 11-06-2038 13:27:00
Element certificate is valid: True
Element error status length: 0
Element information:
Number of element extensions: 4

-----------
<end>

So everything just seems to indicate the .NET code does not find the CRL files.
I even tried embedding them in the certificate files themselves but that did not work either.

Anyone know where to put them ?