[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: Re: infoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
From: Michael Virgil <mvirgil () NORTELNETWORKS ! COM>
Date: 2003-08-28 21:08:07
[Download RAW message or body]
Joe,
Back to looking into the CRL problem I was having, vacations over!
I dumped the chain to look at it, the log shows only one chain with 2
elements; server's certificate and the signing CA certificate. I've attached
the output to the log. Any ideas?
Also, the informational status:
- the server certificate element: 257 (or 0x0101) UNKNOWN
- the CA certificate element: 268 (or 0x010C) UNKNOWN
I couldn't find either of these in WinCrypt.h? What do these mean?
Thanks again,
Michael
Log:
[832] CapiCls::serverAuthenticateThread(): Entering...
[832] CapiCls::serverAuthenticateThread():
[832] Entering...
[832] CapiCls::serverAuthenticateThread(): Certificate subject DN: CN=mscapi
virgil2ca
[832] CapiCls::serverAuthenticateThread(): Issuer DN: C=US, O=Engineering,
CN=Client Engineering CA
[832] CapiCls::CheckCRLDistPoint(): Entering...
[832] CapiCls::CheckCRLDistPoint():
[832] CERT_ALT_NAME_URL
[832] CapiCls::CheckCRLDistPoint():
[832] http://mvirgil2/CertEnroll/Client%20Engineering%20CA.crl
[832] CapiCls::CheckCRLDistPoint():
[832] CERT_ALT_NAME_URL
[832] CapiCls::CheckCRLDistPoint():
[832] file://\\mvirgil2\CertEnroll\Client%20Engineering%20CA.crl
[832] CapiCls::CheckCRLDistPoint(): leaving...
[832] CapiCls::CreateCertificateChain(): Entering...
[832] CapiCls::CreateCertificateChain(): The Certificate Chain has
been successfully created.
[832] CapiCls::CreateCertificateChain(): Number of simple chains in
the array: 1
[832] CapiCls::CheckTrustStatus(): Entering...
[832] CapiCls::CheckTrustStatus(): TrustStatus: Error status: 32
[832] CapiCls::CheckTrustStatus(): The certificate or certificate chain
is based on an untrusted root.
[832] CapiCls::CheckTrustStatus(): TrustStatus: Info status: 256
[832] CapiCls::CheckTrustStatus(): The certificate info status:
CERT_TRUST_HAS_PREFERRED_ISSUER.
[832] CapiCls::CheckTrustStatus(): leaving...
[832] CapiCls::CreateCertificateChain(): PCERT_SIMPLE_CHAIN: [0]
[832] CapiCls::CreateCertificateChain(): Number of CERT_CHAIN_ELEMENT
structures in the array: 2
[832] CapiCls::CreateCertificateChain(): CERT_CHAIN_ELEMENT: [0]
[832] CapiCls::CreateCertificateChain(): Subject: CN=mscapi virgil2ca
[832] CapiCls::CreateCertificateChain(): Certificate Serial Number:
2951BE780000000001A2
[832] CapiCls::CreateCertificateChain(): Issuer: C=US, O=Engineering,
CN=Client Engineering CA
[832] CapiCls::CheckTrustStatus(): Entering...
[832] CapiCls::CheckTrustStatus(): TrustStatus: Error status: 0
[832] CapiCls::CheckTrustStatus(): No error found for this certificate
or chain.
[832] CapiCls::CheckTrustStatus(): TrustStatus: Info status: 257
[832] CapiCls::CheckTrustStatus(): Unknown Informational Status.
[832] CapiCls::CheckTrustStatus(): leaving...
[832] CapiCls::CreateCertificateChain(): CERT_CHAIN_ELEMENT: [1]
[832] CapiCls::CreateCertificateChain(): Subject: C=US,
O=Engineering, CN=Client Engineering CA
[832] CapiCls::CreateCertificateChain(): Certificate Serial Number:
0666E8CAAC6D9FBD45E9383DE9907EF1
[832] CapiCls::CreateCertificateChain(): Issuer: C=US, O=Engineering,
CN=Client Engineering CA
[832] CapiCls::CheckTrustStatus(): Entering...
[832] CapiCls::CheckTrustStatus(): TrustStatus: Error status: 32
[832] CapiCls::CheckTrustStatus(): The certificate or certificate chain
is based on an untrusted root.
[832] CapiCls::CheckTrustStatus(): TrustStatus: Info status: 268
[832] CapiCls::CheckTrustStatus(): Unknown Informational Status.
[832] CapiCls::CheckTrustStatus(): leaving...
[832] CapiCls::CreateCertificateChain(): leaving...
[832] CapiCls::serverAuthenticateThread(): leaving...
-----Original Message-----
From: steele [mailto:steele@ADOBE.COM]
Sent: Thursday, August 07, 2003 1:34 PM
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: Re: infoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
Michael,
I have seen this before and I believe it was related to cross-certificates
or CTLs being present in the chain returned. There may be multiple chains
being returned and that this indicates that the first one is the shortest
but is untrusted.
Check the cChain member of the CERT_CHAIN_CONTEXT returned. If it is greater
than one, try looking at the other chains present.
Joe Steele
> -----Original Message-----
> From: Microsoft Cryptographic API
> [mailto:CryptoAPI@DISCUSS.MICROSOFT.COM] On Behalf Of Michael Virgil
> Sent: Wednesday, August 06, 2003 10:59 AM
> To: CryptoAPI@DISCUSS.MICROSOFT.COM
> Subject: infoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
>
>
> Baffled...
>
> Using the same X.509 certificate and calling
> CertGetCertificateChain() to perform the CRL check, I get the
> different results on three different systems, Windows/XP and
> Windows/2000. On one Windows/2000 system, the certificate CRL check
> passes. On the other 2, a Windows/XP and a Windows/2000 system the
> call fails with the following:
>
> TrustStatus.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
> TrustStatus.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
>
> My assumption is that the problem is environmental, but for the life
> of me can't find it. The server X.509 certificate is not installed on
> the system, but passed to the client application from the server
> application for verification, mutual authentication of the client and
> server. The ROOT CA Certificate is installed on all these client
> systems. All certificates are issued by the same Microsoft stand-alone
> CA.
>
> The call to CertGetCertificateChain() to perform the CRL check uses
> the default Certificate Chain Engine for CRL checking. No enhanced key
> usage is checked. The following flags are used:
>
> CERT_CHAIN_REVOCATION_CHECK_CHAIN |
> CERT_CHAIN_REVOCATION_CHECK_END_CERT |
> CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
>
> Any ideas or helpful hints would be greatly appreciated.
>
> Thanks,
> Michael
>
>
>
>
> ----------------------------------------------------------------
> Users Guide http://discuss.microsoft.com/archives/mailfaq.html
> contains important info. Save time, search the archives at
> http://discuss.microsoft.com/archives/index.ht> ml . To unsubscribe,
> mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
>
>
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.html
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html . To unsubscribe,
mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.html
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic