CERT_TRUST_STATUS structure (wincrypt.h)

The CERT_TRUST_STATUS structure contains trust information about a certificate in a certificate chain, summary trust information about a simple chain of certificates, or summary information about an array of simple chains.

Syntax

typedef struct _CERT_TRUST_STATUS {
  DWORD dwErrorStatus;
  DWORD dwInfoStatus;
} CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;

Members

dwErrorStatus

dwErrorStatus is a bitmask of the following error codes defined for certificates and chains.

Value	Meaning
CERT_TRUST_NO_ERROR 0x00000000	No error found for this certificate or chain.
CERT_TRUST_IS_NOT_TIME_VALID 0x00000001	This certificate or one of the certificates in the certificate chain is not time valid.
CERT_TRUST_IS_REVOKED 0x00000004	Trust for this certificate or one of the certificates in the certificate chain has been revoked.
CERT_TRUST_IS_NOT_SIGNATURE_VALID 0x00000008	The certificate or one of the certificates in the certificate chain does not have a valid signature.
CERT_TRUST_IS_NOT_VALID_FOR_USAGE 0x00000010	The certificate or certificate chain is not valid for its proposed usage.
CERT_TRUST_IS_UNTRUSTED_ROOT 0x00000020	The certificate or certificate chain is based on an untrusted root.
CERT_TRUST_REVOCATION_STATUS_UNKNOWN 0x00000040	The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
CERT_TRUST_IS_CYCLIC 0x00000080	One of the certificates in the chain was issued by a certification authority that the original certificate had certified.
CERT_TRUST_INVALID_EXTENSION 0x00000100	One of the certificates has an extension that is not valid.
CERT_TRUST_INVALID_POLICY_CONSTRAINTS 0x00000200	The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.
CERT_TRUST_INVALID_BASIC_CONSTRAINTS 0x00000400	The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.
CERT_TRUST_INVALID_NAME_CONSTRAINTS 0x00000800	The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.
CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT 0x00001000	The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported: X400 Address EDI Party Name Registered Id
CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT 0x00002000	The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT 0x00004000	The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.
CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT 0x00008000	The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.
CERT_TRUST_IS_OFFLINE_REVOCATION 0x01000000	The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY 0x02000000	The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.
CERT_TRUST_IS_EXPLICIT_DISTRUST 0x04000000	The certificate is explicitly distrusted. Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT 0x08000000	The certificate does not support a critical extension. Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_HAS_WEAK_SIGNATURE 0x00100000	The certificate has not been strong signed. Typically this indicates that the MD2 or MD5 hashing algorithms were used to create a hash of the certificate. Windows 8 and Windows Server 2012:  Support for this flag begins.

 

The following codes are defined for chains only.

Value	Meaning
CERT_TRUST_IS_PARTIAL_CHAIN 0x00010000	The certificate chain is not complete.
CERT_TRUST_CTL_IS_NOT_TIME_VALID 0x00020000	A certificate trust list (CTL) used to create this chain was not time valid.
CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID 0x00040000	A CTL used to create this chain did not have a valid signature.
CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE 0x00080000	A CTL used to create this chain is not valid for this usage.

dwInfoStatus

The following information status codes are defined.

Value	Meaning
CERT_TRUST_HAS_EXACT_MATCH_ISSUER 0x00000001	An exact match issuer certificate has been found for this certificate. This status code applies to certificates only.
CERT_TRUST_HAS_KEY_MATCH_ISSUER 0x00000002	A key match issuer certificate has been found for this certificate. This status code applies to certificates only.
CERT_TRUST_HAS_NAME_MATCH_ISSUER 0x00000004	A name match issuer certificate has been found for this certificate. This status code applies to certificates only.
CERT_TRUST_IS_SELF_SIGNED 0x00000008	This certificate is self-signed. This status code applies to certificates only.
CERT_TRUST_HAS_PREFERRED_ISSUER 0x00000100	The certificate or chain has a preferred issuer. This status code applies to certificates and chains.
CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x00000400	An issuance chain policy exists. This status code applies to certificates and chains.
CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x00000400	A valid name constraints for all namespaces, including UPN. This status code applies to certificates and chains.
CERT_TRUST_IS_PEER_TRUSTED 0x00000800	This certificate is peer trusted. This status code applies to certificates only. Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED 0x00001000	This certificate's certificate revocation list (CRL) validity has been extended. This status code applies to certificates only. Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_IS_FROM_EXCLUSIVE_TRUST_STORE 0x00002000	The certificate was found in either a store pointed to by the hExclusiveRoot or hExclusiveTrustedPeople member of the CERT_CHAIN_ENGINE_CONFIG structure. Windows 7 and Windows Server 2008 R2:  Support for this flag begins.
CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000	The certificate chain created is a complex chain. This status code applies to chains only.
CERT_TRUST_IS_CA_TRUSTED 0x00004000	A non-self-signed intermediate CA certificate was found in the store pointed to by the hExclusiveRoot member of the CERT_CHAIN_ENGINE_CONFIG structure. The CA certificate is treated as a trust anchor for the certificate chain. This flag will only be set if the CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG value is set in the dwExclusiveFlags member of the CERT_CHAIN_ENGINE_CONFIG structure. If this flag is set, the CERT_TRUST_IS_SELF_SIGNED and the CERT_TRUST_IS_PARTIAL_CHAINdwErrorStatus flags will not be set. Windows 8 and Windows Server 2012:  Support for this flag begins.

Requirements

Requirement	Value
Minimum supported client	Windows XP [desktop apps only]
Minimum supported server	Windows Server 2003 [desktop apps only]
Header	wincrypt.h

See also

CERT_CHAIN_CONTEXT

CERT_CHAIN_ENGINE_CONFIG

CERT_SIMPLE_CHAIN