RE: CAPICOM: how to check root certificate validity and existence?

From: lelteto (lelteto_at_discussions.microsoft.com)
Date: 11/23/04

  • Next message: Walter Poupore [MS]: "RE: digitially Sign multple files" 
    Date: Tue, 23 Nov 2004 08:21:04 -0800

    The certificate (and, generally, certificates) are deemed VALID unless they
    explicitly revoked via a CRL list. If no CRL revoked the (now non-existent)
    CA's root cert than it is still valid.
    BTW this is the correct behavior. Despite the fact that the CA now doesn't
    exist that does not make it 'untrustworthy' in the PAST. WHEN the CA existed
    you can assume it signed certs only in good faith, so any cert which was
    signed that root cert was valid.
    The problem you may have is that this CA cannot issue CRLs any more, so you
    have no idea whether any of the certs became invalid (because of private key
    compromise). If you worry about this you just have to DELETE that root CA
    from your root cert store.

    Laszlo Elteto
    SafeNet, Inc.

    "AL" wrote:

    > Hello,
    > I'm trying to verify the validity of a Root Certificate, which almost
    > works unless... the CA does not more exist!
    > I mean, if I have a valid Root cert in my trusted root store, I always
    > get an answer it is valid from the following code (VB 6):
    >
    > rootCert.IsValid.CheckFlag = CAPICOM_CHECK_ONLINE_ALL Or
    > CAPICOM_CHECK_TRUSTED_ROOT
    >
    >
    > If rootCert.IsValid.Result Then
    > ......
    > ' always get true here
    >
    > else
    >
    > ....
    > end if
    >
    > The strange thing is I get an ok even if the CA does not exist anymore,
    > or it is not reachable by the client doing the above verification.
    > Is there a way to get a false answer by that check, when the CA is not
    > available or it is not reachable?
    >
    > Thank you,
    > AL.
    >

  • Next message: Walter Poupore [MS]: "RE: digitially Sign multple files"

    Relevant Pages

    • Re: Certificates with Makecert.exe
      ... Installing CA root cert on client machines, ... > Would there be any limitation to the ammount of users that> I could distribute this certificate to, and the ammount of> users that would be able to be verified against the private> certificate I create on the server? ... >>If you take care of the trusted root cert on client machine. ...
      (microsoft.public.inetserver.iis.security)
    • Re: PKI Trust chain
      ... > root certificate because verisign ships as trusted in most OS, ... If you use a home rolled root cert, ... > your root certificate as a trusted party adding a step your users will ... > of users, or a company intranet then obviously there is less of an impact, ...
      (comp.security.misc)
    • Re: Disable Certificate checking on Windows Mobile 2005
      ... If you can get a registry edit from the operator, ... install the root cert. ... > an internal certificate. ... > Trying to open the root cert on the phone also gives an error ("Alert. ...
      (microsoft.public.pocketpc.activesync)
    • Re: IPSECL2TP issue
      ... All clients have a copy of the root cert, ... >If you double click the certificate what does it say ... Does client PC trust this ... >> such a user that would be honored by the RAS server. ...
      (microsoft.public.win2000.security)
    • Re: Anyone used Exchange Activesync in SBS?
      ... Yes you can add a root cert. ... We needed to do this with a Windows Mobile ... 2003 Pocket PC to add a SBS generated cert to one of them. ... > look like it's copied the certificate. ...
      (microsoft.public.windows.server.sbs)