Windows nuget.exe NU3018 RevocationStatusUnknown

[mwpowellhtx]

Overall, need to know the guidance for operating against self hosted Certificate Authority (CA), root and intermediate certs, for purposes of signing our packages.

Running against the latest nuget.exe at the time of this writing, trying to sign a NuGet package. Names and passwords and such obfuscated for purposes of this question, but I attempt the following. Key highlights, trying to certify against the exported PFX from my internal CA manager. Yes, the algo is SHA512, AFAIK.

D:\Source\myproject\working\src\myproject> nuget sign bin\Release\myproject.1.0.0.nupkg -CertificatePath ..\..\..\myorg.pfx -HashAlgorithm SHA512 -Timestamper http://timestamp.digicert.com

The package is being signed, apparently, excepting for the NU3018 warning.

WARNING: NU3018: RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.

We are using XCA, for instance, to run our CA internally. For my own edification, what specs should I relay to signing? And/or how should we best specify our certs, SHA, etc? We have control over many of the parameters contributing to a cert, the only question is how is NuGet opinionated over what those parameters should be.

Perhaps also clarifying the commentary warning:

NuGet.org does not accept packages signed with self-issued certificates.

Of course we want to do more than a test certificate. This is heading into production, distribution. Are we even able to self certify?

Similar in nature, I think, to the ubuntu-linux question presented along similar lines.