3.1.4.1.5 ICertAdminD::IsValidCertificate (Opnum 7)

  • Article

The IsValidCertificate method verifies the certificate against the CA key and verifies that the certificate has not been revoked.

 HRESULT IsValidCertificate(
   [in, string, unique] wchar_t const* pwszAuthority,
   [in, string, unique] wchar_t const* pSerialNumber,
   [out] LONG* pRevocationReason,
   [out] LONG* pDisposition
 );

pwszAuthority: See the pwszAuthority definition in ICertAdminD::SetExtension (section 3.1.4.1.1).

pSerialNumber: A null-terminated Unicode string specifying a serial number that identifies the certificate to be reviewed. The string MUST specify the serial number as an even number of hexadecimal digits. If necessary, a zero can be prefixed to the number to produce an even number of digits. The string MUST NOT contain more than one leading zero. Information about the serial number is as specified in [RFC3280] section 4.1.2.2.

pRevocationReason: A pointer to a LONG value that receives the revocation reason code. The revocation reason code MUST be one of the following values that are defined for CRLReason, as specified in [RFC3280] section 5.3.1.

Value

Meaning

0

unspecified

1

keyCompromise

2

cACompromise

3

affiliationChanged

4

superseded

5

cessationOfOperation

6

certificateHold

pDisposition: A pointer to a LONG that receives the disposition status of the request. This parameter MUST be one of the following values.

Value

Meaning

0x00000002

The certificate has been revoked.

0x00000003

The certificate is still valid.

0x00000004

The certificate was never issued.

The following processing rules apply:

  1. Unless otherwise specified in the processing rules that follow, the value that is returned as pRevocationReason SHOULD be 0.

  2. The CA MUST look up a row in the Request table where the value of the Serial_Number column is identical to the value that is provided in the pSerialNumber parameter:

    • If a row is not found, the CA MUST return 4 in the pDisposition parameter.

    • If a row is found, this row is referred to as the identified row in the following processing rules.

  3. The CA MUST inspect the value of the Request_Disposition column in the identified row and apply the following rules:

    • If the value is "certificate issued", the CA MUST return 3 in the pDisposition parameter.

    • If the value is "certificate revoked" and the value in Request_Revocation_Date is greater than the current time, the CA MUST return 3 in the pDisposition parameter.

    • If the value is "certificate revoked" and the value in Request_Revocation_Date contains a value that is less than or equal to the current time, the CA MUST return 2 in the pDisposition parameter, read the Request_Revoked_Reason property from the Request table, and return the value as the pRevocationReason argument.