CERT_TRUST_STATUS structure (wincrypt.h)

  • Article

The CERT_TRUST_STATUS structure contains trust information about a certificate in a certificate chain, summary trust information about a simple chain of certificates, or summary information about an array of simple chains.

Syntax

typedef struct _CERT_TRUST_STATUS {
  DWORD dwErrorStatus;
  DWORD dwInfoStatus;
} CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;

Members

dwErrorStatus

dwErrorStatus is a bitmask of the following error codes defined for certificates and chains.

Value Meaning
CERT_TRUST_NO_ERROR
0x00000000
 No error found for this certificate or chain.
CERT_TRUST_IS_NOT_TIME_VALID
0x00000001
 This certificate or one of the certificates in the certificate chain is not time valid.
CERT_TRUST_IS_REVOKED
0x00000004
 Trust for this certificate or one of the certificates in the certificate chain has been revoked.
CERT_TRUST_IS_NOT_SIGNATURE_VALID
0x00000008
 The certificate or one of the certificates in the certificate chain does not have a valid signature.
CERT_TRUST_IS_NOT_VALID_FOR_USAGE
0x00000010
 The certificate or certificate chain is not valid for its proposed usage.
CERT_TRUST_IS_UNTRUSTED_ROOT
0x00000020
 The certificate or certificate chain is based on an untrusted root.
CERT_TRUST_REVOCATION_STATUS_UNKNOWN
0x00000040
 The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
CERT_TRUST_IS_CYCLIC
0x00000080
 One of the certificates in the chain was issued by a certification authority that the original certificate had certified.
CERT_TRUST_INVALID_EXTENSION
0x00000100
 One of the certificates has an extension that is not valid.
CERT_TRUST_INVALID_POLICY_CONSTRAINTS
0x00000200
 The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.
CERT_TRUST_INVALID_BASIC_CONSTRAINTS
0x00000400
 The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.
CERT_TRUST_INVALID_NAME_CONSTRAINTS
0x00000800
 The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.
CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT
0x00001000
 The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported:
  • X400 Address
  • EDI Party Name
  • Registered Id
CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT
0x00002000
 The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT
0x00004000
 The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.
CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT
0x00008000
 The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.
CERT_TRUST_IS_OFFLINE_REVOCATION
0x01000000
 The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY
0x02000000
 The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.
CERT_TRUST_IS_EXPLICIT_DISTRUST
0x04000000
 The certificate is explicitly distrusted.

Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT
0x08000000
 The certificate does not support a critical extension.

Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_HAS_WEAK_SIGNATURE
0x00100000
 The certificate has not been strong signed. Typically this indicates that the MD2 or MD5 hashing algorithms were used to create a hash of the certificate.

Windows 8 and Windows Server 2012:  Support for this flag begins.
 

The following codes are defined for chains only.

Value Meaning
CERT_TRUST_IS_PARTIAL_CHAIN
0x00010000
 The certificate chain is not complete.
CERT_TRUST_CTL_IS_NOT_TIME_VALID
0x00020000
 A certificate trust list (CTL) used to create this chain was not time valid.
CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID
0x00040000
 A CTL used to create this chain did not have a valid signature.
CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE
0x00080000
 A CTL used to create this chain is not valid for this usage.

dwInfoStatus

The following information status codes are defined.

Value Meaning
CERT_TRUST_HAS_EXACT_MATCH_ISSUER
0x00000001
 An exact match issuer certificate has been found for this certificate. This status code applies to certificates only.
CERT_TRUST_HAS_KEY_MATCH_ISSUER
0x00000002
 A key match issuer certificate has been found for this certificate. This status code applies to certificates only.
CERT_TRUST_HAS_NAME_MATCH_ISSUER
0x00000004
 A name match issuer certificate has been found for this certificate. This status code applies to certificates only.
CERT_TRUST_IS_SELF_SIGNED
0x00000008
 This certificate is self-signed. This status code applies to certificates only.
CERT_TRUST_HAS_PREFERRED_ISSUER
0x00000100
 The certificate or chain has a preferred issuer. This status code applies to certificates and chains.
CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY
0x00000400
 An issuance chain policy exists. This status code applies to certificates and chains.
CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS
0x00000400
 A valid name constraints for all namespaces, including UPN. This status code applies to certificates and chains.
CERT_TRUST_IS_PEER_TRUSTED
0x00000800
 This certificate is peer trusted. This status code applies to certificates only.

Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED
0x00001000
 This certificate's certificate revocation list (CRL) validity has been extended. This status code applies to certificates only.

Windows Vista and Windows Server 2008:  Support for this flag begins.
CERT_TRUST_IS_FROM_EXCLUSIVE_TRUST_STORE
0x00002000
 The certificate was found in either a store pointed to by the hExclusiveRoot or hExclusiveTrustedPeople member of the CERT_CHAIN_ENGINE_CONFIG structure.

Windows 7 and Windows Server 2008 R2:  Support for this flag begins.
CERT_TRUST_IS_COMPLEX_CHAIN
0x00010000
 The certificate chain created is a complex chain. This status code applies to chains only.
CERT_TRUST_IS_CA_TRUSTED
0x00004000
 A non-self-signed intermediate CA certificate was found in the store pointed to by the hExclusiveRoot member of the CERT_CHAIN_ENGINE_CONFIG structure. The CA certificate is treated as a trust anchor for the certificate chain. This flag will only be set if the CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG value is set in the dwExclusiveFlags member of the CERT_CHAIN_ENGINE_CONFIG structure.

If this flag is set, the CERT_TRUST_IS_SELF_SIGNED and the CERT_TRUST_IS_PARTIAL_CHAINdwErrorStatus flags will not be set.

Windows 8 and Windows Server 2012:  Support for this flag begins.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header wincrypt.h

See also

CERT_CHAIN_CONTEXT

CERT_CHAIN_ENGINE_CONFIG

CERT_SIMPLE_CHAIN