CertGetCertificateChain() - CERT_TRUST_HAS_PREFERRED_ISSUER

From: Michael Virgil (mvirgil_at_nortelnetworks.com)
Date: 09/09/03 

Date: Tue, 9 Sep 2003 12:34:02 -0700

Baffled...

Using the same X.509 certificate and calling
CertGetCertificateChain() to perform the CRL check, I get
different results on three different systems, Windows/XP
and Windows/2000. On one Windows/2000 system, the
certificate CRL check passes. On the other 2, a Windows/XP
and a Windows/2000 system the call fails with the
following:

TrustStatus.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
TrustStatus.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER

Is is a standalone CA that is on the same network.

My assumption is that the problem is environmental, but
for the life of me can't find it. The server X.509
certificate is not installed on the system, but passed to
the client application from the server application for
verification, mutual authentication of the client and
server. The ROOT CA Certificate is installed on all these
client systems. All certificates are issued by the same
Microsoft stand-alone CA.

The call to CertGetCertificateChain() to perform the CRL
check uses the default Certificate Chain Engine for CRL
checking. No enhanced key usage is checked. The following
flags are used:

CERT_CHAIN_REVOCATION_CHECK_CHAIN |
CERT_CHAIN_REVOCATION_CHECK_END_CERT |
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;

The other interesting thing is that I dumped the CRL chain
to look at it, the log shows only one chain with 2
elements; server's certificate and the signing CA
certificate.

The status from the CRL chain:

The server certificate element:
 - TrustStatus: 0
 - InfoStatus: 257 (or 0x0101) UNKNOWN

The CA certificate element:
 - TrustStatus: 32 - The certificate or certificate chain
is based on an untrusted root.
 - Infostatus: 268 (or 0x010C) UNKNOWN

I couldn't find either of these in WinCrypt.h? What do
these mean? And Why is the CA certificate an untrusted
root?

Any ideas or helpful hints would be greatly appreciated.

Thanks,
Michael

Relevant Pages

  • Re: MS: David Cross
    ... This is a pretty good idea also, you can do crl checking even with ISA2000 ... I would recommend contacting MSCS. ... >>> certificate server for outside users to contact it is a secure method. ...
    (microsoft.public.win2000.security)
  • Re: Using a Java Keytool created certificate in HTTPWebRequest.ClientCertificates
    ... Created the server X509 DER certificate using OpenSSL with the CN ... (Object sender, X509Certificate certificate, X509Chain chain, ... authenticate the client with SSL client certificate auth? ...
    (microsoft.public.dotnet.security)
  • Re: Client Certificates Deleted after 2003 upgrade.
    ... Certificate Server and everything was fine. ... > CRL. ... if you run your own Cert ...
    (microsoft.public.inetserver.iis.security)
  • Re: failing to retrive CRL from certificate server using new LDAP
    ... automaticlly updates only if I put 192.168.1.1 under LDAP Server: ... This is how I specify on our VPN netscreen 50 under certificate optios> CRL ...
    (microsoft.public.windows.server.security)
  • Re: IAS CRL Configuration
    ... I was referring to the server that is running CA in my last response. ... troubleshooting certificate issues, but I'm not sure if it would contain the ... You're correct that the IAS server does not use a new CRL until the old one ...
    (microsoft.public.internet.radius)