Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What does CERT_TRUST_IS_OFFLINE_REVOCATION mean? (Windows Server 2003)

1,561 views
Skip to first unread message

Sam Wilson

unread,
Sep 29, 2003, 2:31:09 PM9/29/03
to
Starting with Windows Server 2003, I am starting to see a new status flag returned by CertGetCertificateChain. It is:
 
    CERT_TRUST_IS_OFFLINE_REVOCATION
 
a) What does this mean and how can I get rid of it?  I call CertGetCertificateChain with the following flags: CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT|CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL
 
b) When my user installs the CA who issued the cert as a Trusted Root, this status flag is no longer returned. Why?
 
Thanks for any insights into this problem.
 
-------------------------------------------------
Samuel W. Wilson   Bentley Systems, Inc.
sam.w...@bentley.com      www.bentley.com

Sergio Dutra [MS]

unread,
Sep 29, 2003, 7:41:11 PM9/29/03
to
The CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL tells the certificate verification engine to not go out of box to obtain any newer CRLs or issuer certificates. Therefore, if there is no CRL locally on the machine, or the one that is locally on the machine is expired or otherwise invalid, you will get that error.
 
In your user's case, if he didn't have the root installed, the certificate chain would fail to validate, and hence revocation would not be performed at all and this error would be returned. When the user installs the root certificate, the certificate chain is then valid, revocation is checked and an apparently updated CRL is found on the local machine, thus getting rid of that error.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Sam Wilson

unread,
Sep 30, 2003, 8:20:39 AM9/30/03
to
Thanks for the explanation, but there is one part that I don't understand. CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL is documented as follows:
 
"Uses only cached URLs in building a certificate chain. The Internet and Intranet are not searched for URL-based objects. Note, not applicable to revocation checking. Set CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY to use only cached URLs for revocation checking."
 
So I would have thought that CACHE_ONLY_URL_RETRIEVAL would have no affect on CRL checking. REVOCATION_CHECK_CACHE_ONLY, by contrast, would affect CRL checking, but I'm not setting that.
?
Sam Wilson

David Cross [MS]

unread,
Sep 30, 2003, 8:29:24 AM9/30/03
to
offline usually means the revocation information is not available, the CDP location is not accessible, etc.  Your application should handle this error as appropriate.  If you do cache only retrieval, this means that the CryptoAPI engine must have retrieved the objects for intermediate certs and CRLs previously.  Otherwise it will always return an error.
 

--
 
David B. Cross [MS]
 
--
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Sergio Dutra [MS]

unread,
Sep 30, 2003, 8:19:35 PM9/30/03
to
Ah, yes, my mistake. You are correct in that CACHE_ONLY_URL_RETRIEVAL only affects downloading of the issuer certs.
 
Nevertheless, without a trusted root revocation checking will not actually take place, as I explained earlier.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
0 new messages