Select the product you need help with

You receive a "CERT_TRUST_REVOCATION_STATUS_UNKNOWN" error message when a third-party CRL tries to validate a third-party certificate on a computer that is running Windows Server 2003, Windows XP, Windows 2000, or Windows NT

Article ID: 884325 - View products that this article applies to.

SYMPTOMS

When a third-party Certification Revocation List (CRL) tries to validate a third-party certificate on a computer that is running one of the Microsoft products in the "Applies to" section, you receive the following error message:

CERT_TRUST_REVOCATION_STATUS_UNKNOWN

Back to the top | Give Feedback

CAUSE

This issue may occur if the third-party CRL contains Issuer Distribution Point (IDP) extension fields that Windows does not support.

Back to the top | Give Feedback

STATUS

This behavior is by design.

Back to the top | Give Feedback

MORE INFORMATION

You cannot use a CRL that contains IDP extension fields on a Microsoft Windows Server product that is an earlier version than Microsoft Windows Server 2003. Windows Server 2003 partially supports CRLs that contain certain IDP extension fields. In Windows Server 2003, the CryptoAPI function compares the CRL IDP extension field with the Certificate Distribution Point (CDP) extension of a certificate to validate the certificate. If you use a CRL that contains IDP extension fields that Windows does not support, the CryptoAPI function cannot validate the certificate.

Microsoft Windows XP also partially supports CRLs that contain certain IDP extension fields.

The following IDP extension fields may be used in a CRL:

distributionPoint
onlyContainsUserCerts
onlyContainsCACerts
onlySomeReasons
indirectCRL

The IDP extension is a critical CRL extension that uses certain fields to specify certain attributes in a CRL. A Certification Authority (CA) can use the distributionPoint IDP extension field to specify the location of the CRL. The onlyContainsUserCerts IDP extension field and the onlyContainsCACerts IDP extension field specify that a CRL contains only CA certificates or only user certificates. The onlySomeReasons IDP extension field specifies conditions that a CRL can use to validate a certificate. If the CRL that you use is not issued by your CA, you can use the indirectCRL IDP extension field to validate the information about the CRL issuer.

Microsoft Windows 2000 with the MS04-11 security update installed, Windows XP, and Windows Server 2003 support the following IDP extension fields:

onlyContainsUserCerts
onlyContainsCACerts

Only Windows XP and Windows Server 2003 support the distributionPoint IDP extension field.

Microsoft Windows NT and Windows 2000 without MS04-11 installed do not support the IDP extension fields.

Back to the top | Give Feedback

REFERENCES

For additional information about Microsoft security update MS04-011, click the following article number to view the article in the Microsoft Knowledge Base:

835732

(http://support.microsoft.com/kb/835732/ )

MS04-011: Security update for Microsoft Windows

For additional information about CRLs and about CRL IDP extensions that Windows supports, visit the following Microsoft Web sites:

http://technet2.microsoft.com/windowsserver/en/library/D7CD44F4-B39A-4D35-BB56-A239F72B7E4C1033.mspx

(http://technet2.microsoft.com/windowsserver/en/library/D7CD44F4-B39A-4D35-BB56-A239F72B7E4C1033.mspx)

http://technet.microsoft.com/en-us/library/cc700843.aspx

(http://technet.microsoft.com/en-us/library/cc700843.aspx)

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Back to the top | Give Feedback