When you verify a certificate using cert.Verify(), it relies on Windows' system-level certificate chain (X509Chain) to perform revocation checks (CRL or OCSP). This check tries to download the Certificate Revocation List (CRL) from the internet.

However, if your app is running behind a proxy (such as inside a Docker container), the Windows API performing the revocation check does not automatically use the proxy settings configured in your app. As a result, it cannot reach the revocation server, causing the error "revocation server is offline."

To fix this, you need to configure the proxy for Windows HTTP services inside your Windows Docker container using the following command:

netsh winhttp set proxy <proxy-address:port>

This command sets the system-wide proxy for WinHTTP, which is used by Windows API calls like certificate revocation checks. Once this is configured, the revocation checks should work correctly behind the proxy.