Also, to answer your other questions and suggestions:
- Yes, we can assume the certificate is good.
- On Windows, we validate certificates through .NET's X509Certificate2/X509Store objects, which uses Windows CryptoAPI.
- The user was able to invoke the validation, which indicates that he has access to Windows CryptoAPI.
- No special permissions should be required to perform revocation checks, and administrator privileges are definitely not needed for this.
- To learn more about Windows CRL infrastructure, check out
https://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx
- C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is for private keys, not CRLs.
(check the previous article for details in CRL storage)
- Check out
http://blogs.interfacett.com/how-to-examine-any-certificate-revocation-list-in-windows-with-certutil for information on using certutil utility the display revocation info.
However, before trying to delve deep into this, please just try running the certutil utility (as described above). It will tell you where exactly is the problem.