CERT_TRUST_STATUS structure (wincrypt.h)
The CERT_TRUST_STATUS structure contains trust information about a certificate in a certificate chain, summary trust information about a simple chain of certificates, or summary information about an array of simple chains.
Syntax
typedef struct _CERT_TRUST_STATUS {
DWORD dwErrorStatus;
DWORD dwInfoStatus;
} CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;
Members
dwErrorStatus
dwErrorStatus is a bitmask of the following error codes defined for certificates and chains.
Value | Meaning |
---|---|
|
No error found for this certificate or chain. |
|
This certificate or one of the certificates in the certificate chain is not time valid. |
|
Trust for this certificate or one of the certificates in the certificate chain has been revoked. |
|
The certificate or one of the certificates in the certificate chain does not have a valid signature. |
|
The certificate or certificate chain is not valid for its proposed usage. |
|
The certificate or certificate chain is based on an untrusted root. |
|
The revocation status of the certificate or one of the certificates in the certificate chain is unknown. |
|
One of the certificates in the chain was issued by a certification authority that the original certificate had certified. |
|
One of the certificates has an extension that is not valid. |
|
The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension. |
|
The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded. |
|
The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid. |
|
The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported:
|
|
The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate. |
|
The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate. |
|
The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded. |
|
The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. |
|
The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it. |
|
The certificate is explicitly distrusted.
Windows Vista and Windows Server 2008: Support for this flag begins. |
|
The certificate does not support a critical extension.
Windows Vista and Windows Server 2008: Support for this flag begins. |
|
The certificate has not been strong signed. Typically this indicates that the MD2 or MD5 hashing algorithms were used to create a hash of the certificate.
Windows 8 and Windows Server 2012: Support for this flag begins. |
The following codes are defined for chains only.
Value | Meaning |
---|---|
|
The certificate chain is not complete. |
|
A certificate trust list (CTL) used to create this chain was not time valid. |
|
A CTL used to create this chain did not have a valid signature. |
|
A CTL used to create this chain is not valid for this usage. |
dwInfoStatus
The following information status codes are defined.
Value | Meaning |
---|---|
|
An exact match issuer certificate has been found for this certificate. This status code applies to certificates only. |
|
A key match issuer certificate has been found for this certificate. This status code applies to certificates only. |
|
A name match issuer certificate has been found for this certificate. This status code applies to certificates only. |
|
This certificate is self-signed. This status code applies to certificates only. |
|
The certificate or chain has a preferred issuer. This status code applies to certificates and chains. |
|
An issuance chain policy exists. This status code applies to certificates and chains. |
|
A valid name constraints for all namespaces, including UPN. This status code applies to certificates and chains. |
|
This certificate is peer trusted. This status code applies to certificates only.
Windows Vista and Windows Server 2008: Support for this flag begins. |
|
This certificate's certificate revocation list (CRL) validity has been extended. This status code applies to certificates only.
Windows Vista and Windows Server 2008: Support for this flag begins. |
|
The certificate was found in either a store pointed to by the hExclusiveRoot or hExclusiveTrustedPeople member of the CERT_CHAIN_ENGINE_CONFIG structure.
Windows 7 and Windows Server 2008 R2: Support for this flag begins. |
|
The certificate chain created is a complex chain. This status code applies to chains only. |
|
A non-self-signed intermediate CA certificate was found in the store pointed to by the hExclusiveRoot member of the CERT_CHAIN_ENGINE_CONFIG structure. The CA certificate is treated as a trust anchor for the certificate chain. This flag will only be set if the CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG value is set in the dwExclusiveFlags member of the CERT_CHAIN_ENGINE_CONFIG structure.
If this flag is set, the CERT_TRUST_IS_SELF_SIGNED and the CERT_TRUST_IS_PARTIAL_CHAINdwErrorStatus flags will not be set. Windows 8 and Windows Server 2012: Support for this flag begins. |
Requirements
Requirement | Value |
---|---|
Minimum supported client | Windows XP [desktop apps only] |
Minimum supported server | Windows Server 2003 [desktop apps only] |
Header | wincrypt.h |