Irrevocable Certificates

A certificate revocation list is a way to revoke and expire an individual certificate at any time. Revocation lists are a complement to expiration times because a certificate may be bad even when it's not particularly old, such as when someone has compromised the private key of the certificate. Control of the certificate revocation list is therefore very sensitive. You wouldn't want an attacker to be able to add or remove entries from the revocation list as this would allow them to manipulate the list of valid certificates and prevent a compromised certificate from being detected. Certificates can chain back to a revocation list just as they chain back to an issuer certificate. The whole combination is generally signed so that the directions to the revocation list can't be modified and the revocation list itself can't be forged.

When you create your own certificates though, you often aren't going to go to the trouble of setting up a revocation list for your issued certificates. The default of WCF is to be secure, which means checking the revocation list of the client and server certificate. This can cause problems if you intend to use certificates that have no revocation list. You can disable the check of the revocation list by setting the RevocationMode to NoCheck.

 service.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

Since you're validating the certificate of the opposite party, the ServiceHost is the one that has the setting for client certificates and the ChannelFactory is the one that has the setting for service certificates.

Next time: Subqueues