Re: What does CERT_TRUST_IS_OFFLINE_REVOCATION mean? (Windows Server 2003)
From: Sam Wilson (sam.wilson_at_bentley.com)
Date: 09/30/03
- Next message: David Cross [MS]: "Re: AT_SIGNATURE"
- Previous message: Oliver Young: "PCCERT_CONTEXT"
- In reply to: Sergio Dutra [MS]: "Re: What does CERT_TRUST_IS_OFFLINE_REVOCATION mean? (Windows Server 2003)"
- Next in thread: David Cross [MS]: "Re: What does CERT_TRUST_IS_OFFLINE_REVOCATION mean? (Windows Server 2003)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Sep 2003 08:20:39 -0400
Thanks for the explanation, but there is one part that I don't understand. CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL is documented as follows:
"Uses only cached URLs in building a certificate chain. The Internet and Intranet are not searched for URL-based objects. Note, not applicable to revocation checking. Set CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY to use only cached URLs for revocation checking."
So I would have thought that CACHE_ONLY_URL_RETRIEVAL would have no affect on CRL checking. REVOCATION_CHECK_CACHE_ONLY, by contrast, would affect CRL checking, but I'm not setting that.
?
Sam Wilson
"Sergio Dutra [MS]" <sergiod@online.microsoft.com> wrote in message news:%23nSO3MuhDHA.1200@TK2MSFTNGP09.phx.gbl...
The CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL tells the certificate verification engine to not go out of box to obtain any newer CRLs or issuer certificates. Therefore, if there is no CRL locally on the machine, or the one that is locally on the machine is expired or otherwise invalid, you will get that error.
In your user's case, if he didn't have the root installed, the certificate chain would fail to validate, and hence revocation would not be performed at all and this error would be returned. When the user installs the root certificate, the certificate chain is then valid, revocation is checked and an apparently updated CRL is found on the local machine, thus getting rid of that error.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Sam Wilson" <sam.wilson@bentley.com> wrote in message news:%23DYtffrhDHA.1932@TK2MSFTNGP11.phx.gbl...
Starting with Windows Server 2003, I am starting to see a new status flag returned by CertGetCertificateChain. It is:
CERT_TRUST_IS_OFFLINE_REVOCATION
a) What does this mean and how can I get rid of it? I call CertGetCertificateChain with the following flags: CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT|CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL
b) When my user installs the CA who issued the cert as a Trusted Root, this status flag is no longer returned. Why?
Thanks for any insights into this problem.
-------------------------------------------------
Samuel W. Wilson Bentley Systems, Inc.
sam.wilson@bentley.com www.bentley.com
- Next message: David Cross [MS]: "Re: AT_SIGNATURE"
- Previous message: Oliver Young: "PCCERT_CONTEXT"
- In reply to: Sergio Dutra [MS]: "Re: What does CERT_TRUST_IS_OFFLINE_REVOCATION mean? (Windows Server 2003)"
- Next in thread: David Cross [MS]: "Re: What does CERT_TRUST_IS_OFFLINE_REVOCATION mean? (Windows Server 2003)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
