CERT_TRUST_STATUS structure
The CERT_TRUST_STATUS structure contains trust information about a certificate in a certificate chain, summary trust information about a simple chain of certificates, or summary information about an array of simple chains.
Syntax
typedef struct _CERT_TRUST_STATUS { DWORD dwErrorStatus; DWORD dwInfoStatus; } CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;
Members
- dwErrorStatus
-
The following error status codes are defined for certificates and chains.
Value Meaning - CERT_TRUST_NO_ERROR
- 0x00000000
No error found for this certificate or chain.
- CERT_TRUST_IS_NOT_TIME_VALID
- 0x00000001
This certificate or one of the certificates in the certificate chain is not time valid.
- CERT_TRUST_IS_REVOKED
- 0x00000004
Trust for this certificate or one of the certificates in the certificate chain has been revoked.
- CERT_TRUST_IS_NOT_SIGNATURE_VALID
- 0x00000008
The certificate or one of the certificates in the certificate chain does not have a valid signature.
- CERT_TRUST_IS_NOT_VALID_FOR_USAGE
- 0x00000010
The certificate or certificate chain is not valid for its proposed usage.
- CERT_TRUST_IS_UNTRUSTED_ROOT
- 0x00000020
The certificate or certificate chain is based on an untrusted root.
- CERT_TRUST_REVOCATION_STATUS_UNKNOWN
- 0x00000040
The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
- CERT_TRUST_IS_CYCLIC
- 0x00000080
One of the certificates in the chain was issued by a certification authority that the original certificate had certified.
- CERT_TRUST_INVALID_EXTENSION
- 0x00000100
One of the certificates has an extension that is not valid.
- CERT_TRUST_INVALID_POLICY_CONSTRAINTS
- 0x00000200
The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.
- CERT_TRUST_INVALID_BASIC_CONSTRAINTS
- 0x00000400
The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.
- CERT_TRUST_INVALID_NAME_CONSTRAINTS
- 0x00000800
The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.
- CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT
- 0x00001000
The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported:
- X400 Address
- EDI Party Name
- Registered Id
- CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT
- 0x00002000
The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.
- CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT
- 0x00004000
The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.
- CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT
- 0x00008000
The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.
- CERT_TRUST_IS_OFFLINE_REVOCATION
- 0x01000000
The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
- CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY
- 0x02000000
The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.
- CERT_TRUST_IS_EXPLICIT_DISTRUST
- 0x04000000
The certificate is explicitly distrusted.
Windows Vista and Windows Server 2008: Support for this flag begins.
- CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT
- 0x08000000
The certificate does not support a critical extension.
Windows Vista and Windows Server 2008: Support for this flag begins.
- CERT_TRUST_HAS_WEAK_SIGNATURE
- 0x00100000
The certificate has not been strong signed. Typically this indicates that the MD2 or MD5 hashing algorithms were used to create a hash of the certificate.
Windows 8 and Windows Server 2012: Support for this flag begins.
The following codes are defined for chains only.
Value Meaning - CERT_TRUST_IS_PARTIAL_CHAIN
- 0x00010000
The certificate chain is not complete.
- CERT_TRUST_CTL_IS_NOT_TIME_VALID
- 0x00020000
A certificate trust list (CTL) used to create this chain was not time valid.
- CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID
- 0x00040000
A CTL used to create this chain did not have a valid signature.
- CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE
- 0x00080000
A CTL used to create this chain is not valid for this usage.
- dwInfoStatus
-
The following information status codes are defined.
Value Meaning - CERT_TRUST_HAS_EXACT_MATCH_ISSUER
- 0x00000001
An exact match issuer certificate has been found for this certificate. This status code applies to certificates only.
- CERT_TRUST_HAS_KEY_MATCH_ISSUER
- 0x00000002
A key match issuer certificate has been found for this certificate. This status code applies to certificates only.
- CERT_TRUST_HAS_NAME_MATCH_ISSUER
- 0x00000004
A name match issuer certificate has been found for this certificate. This status code applies to certificates only.
- CERT_TRUST_IS_SELF_SIGNED
- 0x00000008
This certificate is self-signed. This status code applies to certificates only.
- CERT_TRUST_HAS_PREFERRED_ISSUER
- 0x00000100
The certificate or chain has a preferred issuer. This status code applies to certificates and chains.
- CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY
- 0x00000400
An issuance chain policy exists. This status code applies to certificates and chains.
- CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS
- 0x00000400
A valid name constraints for all namespaces, including UPN. This status code applies to certificates and chains.
- CERT_TRUST_IS_PEER_TRUSTED
- 0x00000800
This certificate is peer trusted. This status code applies to certificates only.
Windows Vista and Windows Server 2008: Support for this flag begins.
- CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED
- 0x00001000
This certificate's certificate revocation list (CRL) validity has been extended. This status code applies to certificates only.
Windows Vista and Windows Server 2008: Support for this flag begins.
- CERT_TRUST_IS_FROM_EXCLUSIVE_TRUST_STORE
- 0x00002000
The certificate was found in either a store pointed to by the hExclusiveRoot or hExclusiveTrustedPeople member of the CERT_CHAIN_ENGINE_CONFIG structure.
Windows 7 and Windows Server 2008 R2: Support for this flag begins.
- CERT_TRUST_IS_COMPLEX_CHAIN
- 0x00010000
The certificate chain created is a complex chain. This status code applies to chains only.
- CERT_TRUST_IS_CA_TRUSTED
- 0x00004000
A non-self-signed intermediate CA certificate was found in the store pointed to by the hExclusiveRoot member of the CERT_CHAIN_ENGINE_CONFIG structure. The CA certificate is treated as a trust anchor for the certificate chain. This flag will only be set if the CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG value is set in the dwExclusiveFlags member of the CERT_CHAIN_ENGINE_CONFIG structure.
If this flag is set, the CERT_TRUST_IS_SELF_SIGNED and the CERT_TRUST_IS_PARTIAL_CHAINdwErrorStatus flags will not be set.
Windows 8 and Windows Server 2012: Support for this flag begins.
Requirements
|
Minimum supported client |
Windows XP [desktop apps only] |
|---|---|
|
Minimum supported server |
Windows Server 2003 [desktop apps only] |
|
Header |
|
See also