CAPI Plugin Configuration

The certificate revocation status checking process can result in one of three states: the certificate is definitively Good or Revoked, or the status of the certificate is Unknown and cannot be determined due to some error. CAPI defines four response types: Good, Revoked, No Revocation Check, and Server Offline. CAPI performs no additional revocation checking when the certificate is Good or Revoked, or when the server is offline. CAPI attempts additional revocation checking when No Revocation Check has occurred.

When the Validation Client receives a revocation status checking request from CAPI and certificate revocation status cannot be determined, the Validation Client must be configured to provide one of the definitive status response types (Good, Revoked, No Revocation Check, and Server Offline) for various conditions to allow CAPI to attempt to validate the certificate through other means.

Examples of conditions that may cause Validation Client to be unable to determine certificate status include:

  • Cannot communicate with responder

  • Response returned is not signed by a trusted authority

  • Responder knows nothing about the target certificate

  • Responder is unwilling to respond (for example, when an unauthorized request is made)

  • A nonce is missing or does not match

  • A responder cannot be found

There are certificates that CAPI must be allowed to validate when OCSP returns an Unknown certificate status. An example of this scenario can be seen with codesigning certificates. Code-signing certificates are typically part of an application or the operating system itself and are valid as long as they have not expired and can be determined to have been issued by a trusted authority. CAPI would, by default, accept the certificates as valid. If the Validation Client were to attempt to validate such a certificate using OCSP, it would typically be unable to determine a responder for that certificate. In this case, it is desirable that the Validation Client allows CAPI to continue the normal validation sequence. Unexpected behavior might result if the Validation Client is configured to return Revoked to CAPI for a Microsoft Windows code-signing certificate.