X509VerificationFlags Enum
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Specifies conditions under which verification of certificates in the X509 chain should be conducted.
This enumeration supports a bitwise combination of its member values.
public enum class X509VerificationFlags
[System.Flags]
public enum X509VerificationFlags
[<System.Flags>]
type X509VerificationFlags =
Public Enum X509VerificationFlags
- Inheritance
- Attributes
Name | Value | Description |
---|---|---|
NoFlag | 0 | No flags pertaining to verification are included. |
IgnoreNotTimeValid | 1 | Ignore certificates in the chain that are not valid either because they have expired or they are not yet in effect when determining certificate validity. |
IgnoreCtlNotTimeValid | 2 | Ignore that the certificate trust list (CTL) is not valid, for reasons such as the CTL has expired, when determining certificate verification. |
IgnoreNotTimeNested | 4 | Ignore that the CA (certificate authority) certificate and the issued certificate have validity periods that are not nested when verifying the certificate. For example, the CA cert can be valid from January 1 to December 1 and the issued certificate from January 2 to December 2, which would mean the validity periods are not nested. |
IgnoreInvalidBasicConstraints | 8 | Ignore that the basic constraints are not valid when determining certificate verification. |
AllowUnknownCertificateAuthority | 16 | Ignore that the chain cannot be verified due to an unknown certificate authority (CA) or partial chains. |
IgnoreWrongUsage | 32 | Ignore that the certificate was not issued for the current use when determining certificate verification. |
IgnoreInvalidName | 64 | Ignore that the certificate has an invalid name when determining certificate verification. |
IgnoreInvalidPolicy | 128 | Ignore that the certificate has invalid policy when determining certificate verification. |
IgnoreEndRevocationUnknown | 256 | Ignore that the end certificate (the user certificate) revocation is unknown when determining certificate verification. |
IgnoreCtlSignerRevocationUnknown | 512 | Ignore that the certificate trust list (CTL) signer revocation is unknown when determining certificate verification. |
IgnoreCertificateAuthorityRevocationUnknown | 1024 | Ignore that the certificate authority revocation is unknown when determining certificate verification. |
IgnoreRootRevocationUnknown | 2048 | Ignore that the root revocation is unknown when determining certificate verification. |
AllFlags | 4095 | All flags pertaining to verification are included. |
The following example opens the current user's personal certificate store, allows the user to select a certificate, then writes certificate and certificate chain information to the console. The output depends on the certificate you select.
//Output chain information of the selected certificate.
X509Chain ^ ch = gcnew X509Chain;
ch->ChainPolicy->RevocationMode = X509RevocationMode::Online;
ch->Build( certificate );
Console::WriteLine( "Chain Information" );
Console::WriteLine( "Chain revocation flag: {0}", ch->ChainPolicy->RevocationFlag );
Console::WriteLine( "Chain revocation mode: {0}", ch->ChainPolicy->RevocationMode );
Console::WriteLine( "Chain verification flag: {0}", ch->ChainPolicy->VerificationFlags );
Console::WriteLine( "Chain verification time: {0}", ch->ChainPolicy->VerificationTime );
Console::WriteLine( "Chain status length: {0}", ch->ChainStatus->Length );
Console::WriteLine( "Chain application policy count: {0}", ch->ChainPolicy->ApplicationPolicy->Count );
Console::WriteLine( "Chain certificate policy count: {0} {1}", ch->ChainPolicy->CertificatePolicy->Count, Environment::NewLine );
//Output chain information of the selected certificate.
X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.Build (certificate);
Console.WriteLine ("Chain Information");
Console.WriteLine ("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
Console.WriteLine ("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
Console.WriteLine ("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
Console.WriteLine ("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
Console.WriteLine ("Chain status length: {0}", ch.ChainStatus.Length);
Console.WriteLine ("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
Console.WriteLine ("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
'Output chain information of the selected certificate.
Dim ch As New X509Chain()
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online
ch.Build(certificate)
Console.WriteLine("Chain Information")
Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag)
Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode)
Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags)
Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime)
Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length)
Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count)
Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine)
These flags indicate the conditions under which chain verification should occur. For example, if an application does not require certificates time values in a chain to be valid, the IgnoreNotTimeValid flag can be used.
Product | Versions |
---|---|
.NET | Core 1.0, Core 1.1, Core 2.0, Core 2.1, Core 2.2, Core 3.0, Core 3.1, 5, 6, 7, 8, 9 |
.NET Framework | 2.0, 3.0, 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1 |
.NET Standard | 1.3, 1.4, 1.6, 2.0, 2.1 |
.NET feedback
.NET is an open source project. Select a link to provide feedback: