You receive a "CERT_TRUST_REVOCATION_STATUS_UNKNOWN" error message when a third-party CRL tries to validate a third-party certificate on a computer that is running Windows Server 2003, Windows XP, Windows 2000, or Windows NT
This article has been archived. It is offered "as is" and will no longer be updated.
When a third-party Certification Revocation List (CRL) tries to validate a third-party certificate on a computer that is running one of the Microsoft products in the "Applies to" section, you receive the following error message:
This issue may occur if the third-party CRL contains Issuer Distribution Point (IDP) extension fields that Windows does not support.
This behavior is by design.
You cannot use a CRL that contains IDP extension fields on a Microsoft Windows Server product that is an earlier version than Microsoft Windows Server 2003. Windows Server 2003 partially supports CRLs that contain certain IDP extension fields. In Windows Server 2003, the CryptoAPI function compares the CRL IDP extension field with the Certificate Distribution Point (CDP) extension of a certificate to validate the certificate. If you use a CRL that contains IDP extension fields that Windows does not support, the CryptoAPI function cannot validate the certificate.
Microsoft Windows XP also partially supports CRLs that contain certain IDP extension fields.
The following IDP extension fields may be used in a CRL:
The IDP extension is a critical CRL extension that uses certain fields to specify certain attributes in a CRL. A Certification Authority (CA) can use the distributionPoint IDP extension field to specify the location of the CRL. The onlyContainsUserCerts IDP extension field and the onlyContainsCACerts IDP extension field specify that a CRL contains only CA certificates or only user certificates. The onlySomeReasons IDP extension field specifies conditions that a CRL can use to validate a certificate. If the CRL that you use is not issued by your CA, you can use the indirectCRL IDP extension field to validate the information about the CRL issuer.
Microsoft Windows 2000 with the MS04-11 security update installed, Windows XP, and Windows Server 2003 support the following IDP extension fields:
Only Windows XP and Windows Server 2003 support the distributionPoint IDP extension field.
Microsoft Windows NT and Windows 2000 without MS04-11 installed do not support the IDP extension fields.
For additional information about Microsoft security update MS04-011, click the following article number to view the article in the Microsoft Knowledge Base:
835732 MS04-011: Security update for Microsoft Windows
For additional information about CRLs and about CRL IDP extensions that Windows supports, visit the following Microsoft Web sites:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.