In my program I use
CertGetCertificateChain to investigate the validity of certificates.
If in my test PKI I revoke a certificate and specify the reason “unspecified”, the error code in the last parameter
pChainContext->TrustStatus.dwErrorStatus is zero, meaning no error, the certificate is not considered revoked. However, in the Windows Event Log I can see the following entry:
So, the revocation and its reason got detected correctly, however
CertGetCertificateChain doesn’t let me know about it.
If I revoke the certificate with any other reason (e.g. “cessation of operation”),
CertGetCertificateChain correctly returns
pChainContext->TrustStatus.dwErrorStatus == 4 which means ‘CERT_TRUST_IS_REVOKED’ and in the eventlog I can see this:
So my question is: Is this behavior of
I spent some time researching this and I found this document. In section 6.3.2 (a) it says:
reasons_mask: This variable contains the set of revocation
reasons supported by the CRLs and delta CRLs processed so
far. The legal members of the set are the possible
revocation reason values minus unspecified: keyCompromise,
cACompromise, affiliationChanged, superseded,
cessationOfOperation, certificateHold, privilegeWithdrawn,
and aACompromise. The special value all-reasons is used to
denote the set of all legal members. This variable is
initialized to the empty set.
(emphasis is mine)
I’m not sure how to interpret this. Does it mean that the described algorithm must not consider the “unspecified” reason as revoked? If so, this would mean that
CertGetCertificateChain behaves correctly. But then some followup questions arise: Shouldn’t there be some big, all capital, blinking warning along the lines of
“If you revoke a certificate, NEVER EVER choose “unspecified” as reason because otherwise it won’t be considered revoked.”?
But maybe I’m not reading this correctly, so here are some other blind guesses of mine why
CertGetCertificateChain doesn’t work like expected:
- Maybe I need to configure my CRL to support the “unspecified” reason. But I don’t see where I can configure that.
- Do I have to pass some extra flags to
CertGetCertificateChainto make it consider the “unspecified” reason? I cannot see any flags that sound suitable…
- Am I trying to solve a not existing problem? Maybe literally nobody uses the “unspecified” reason and that’s why I find so little information about it?
Can anyone shed some light on this?