Microsoft KB Archive/884325

= You receive a &quot;CERT_TRUST_REVOCATION_STATUS_UNKNOWN&quot; error message when a third-party CRL tries to validate a third-party certificate on a computer that is running Windows Server 2003, Windows XP, Windows 2000, or Windows NT =

Article ID: 884325

Article Last Modified on 2/7/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-





SYMPTOMS
When a third-party Certification Revocation List (CRL) tries to validate a third-party certificate on a computer that is running one of the Microsoft products in the &quot;Applies to&quot; section, you receive the following error message:

CERT_TRUST_REVOCATION_STATUS_UNKNOWN



CAUSE
This issue may occur if the third-party CRL contains Issuer Distribution Point (IDP) extension fields that Windows does not support.



STATUS
This behavior is by design.



MORE INFORMATION
You cannot use a CRL that contains IDP extension fields on a Microsoft Windows Server product that is an earlier version than Microsoft Windows Server 2003. Windows Server 2003 partially supports CRLs that contain certain IDP extension fields. In Windows Server 2003, the CryptoAPI function compares the CRL IDP extension field with the Certificate Distribution Point (CDP) extension of a certificate to validate the certificate. If you use a CRL that contains IDP extension fields that Windows does not support, the CryptoAPI function cannot validate the certificate.

Microsoft Windows XP also partially supports CRLs that contain certain IDP extension fields.

The following IDP extension fields may be used in a CRL:
 * distributionPoint
 * onlyContainsUserCerts
 * onlyContainsCACerts
 * onlySomeReasons
 * indirectCRL

The IDP extension is a critical CRL extension that uses certain fields to specify certain attributes in a CRL. A Certification Authority (CA) can use the distributionPoint IDP extension field to specify the location of the CRL. The onlyContainsUserCerts IDP extension field and the onlyContainsCACerts IDP extension field specify that a CRL contains only CA certificates or only user certificates. The onlySomeReasons IDP extension field specifies conditions that a CRL can use to validate a certificate. If the CRL that you use is not issued by your CA, you can use the indirectCRL IDP extension field to validate the information about the CRL issuer.

Microsoft Windows 2000 with the MS04-11 security update installed, Windows XP, and Windows Server 2003 support the following IDP extension fields:
 * onlyContainsUserCerts
 * onlyContainsCACerts

Only Windows XP and Windows Server 2003 support the distributionPoint IDP extension field.

Microsoft Windows NT and Windows 2000 without MS04-11 installed do not support the IDP extension fields.

