You receive a "CERT_TRUST_REVOCATION_STATUS_UNKNOWN" error message when a third-party CRL tries to validate a third-party certificate on a computer that is running Windows Server 2003, Windows XP, Windows 2000, or Windows NT (884325)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional
- Microsoft Windows NT Server
- Microsoft Windows NT Workstation
SYMPTOMSWhen a third-party Certification Revocation List (CRL) tries to validate a third-party certificate on a computer that is running one of the Microsoft products in the "Applies to" section, you receive the following error message: CERT_TRUST_REVOCATION_STATUS_UNKNOWN CAUSEThis issue may occur if the third-party CRL contains Issuer Distribution Point (IDP) extension fields that Windows does not support. STATUS
This behavior is by design.MORE INFORMATIONYou cannot use a CRL that contains IDP extension fields on a Microsoft Windows Server product that is an earlier version than Microsoft Windows Server 2003. Windows Server 2003 partially supports CRLs that contain certain IDP extension fields. In Windows Server 2003, the CryptoAPI function compares the CRL IDP extension field with the Certificate Distribution Point (CDP) extension of a certificate to validate the certificate. If you use a CRL that contains IDP extension fields that Windows does not support, the CryptoAPI function cannot validate the certificate. Microsoft Windows XP also partially supports CRLs that contain certain IDP extension fields. The following IDP extension fields may be used in a CRL: - distributionPoint
- onlyContainsUserCerts
- onlyContainsCACerts
- onlySomeReasons
- indirectCRL
The IDP extension is a critical CRL extension that uses certain fields to specify certain attributes in a CRL. A Certification Authority (CA) can use the distributionPoint IDP extension field to specify the location of the CRL. The onlyContainsUserCerts IDP extension field and the onlyContainsCACerts IDP extension field specify that a CRL contains only CA certificates or only user certificates. The onlySomeReasons IDP extension field specifies conditions that a CRL can use to validate a certificate. If the CRL that you use is not issued by your CA, you can use the indirectCRL IDP extension field to validate the information about the CRL issuer. Microsoft Windows 2000 with the MS04-11 security update installed, Windows XP, and Windows Server 2003 support the following IDP extension fields: - onlyContainsUserCerts
- onlyContainsCACerts
Only Windows XP and Windows Server 2003 support the distributionPoint IDP extension field. Microsoft Windows NT and Windows 2000 without MS04-11 installed do not support the IDP extension fields. REFERENCES
For additional information about Microsoft security update MS04-011, click the following article number to view the article in the Microsoft Knowledge Base:
835732
MS04-011: Security update for Microsoft Windows
For additional information about CRLs and about CRL IDP extensions that Windows supports, visit the following Microsoft Web sites: For additional information about CRL IDP extensions, view the Twg-99-01.pdf file. To do this, visit the following Computer Security Resource Center (CSRC) Web site:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
| Modification Type: | Major | Last Reviewed: | 7/31/2006 |
|---|
| Keywords: | kb3rdparty kbwinservds kbSecurityServices kbActiveDirectory kbwhitepaper kbtshoot KB884325 kbAudITPRO |
|---|
|