Novell Documentation: Novell Certificate Server Libraries for C - NPKIT

4.7 NPKIT_x509 Certificate Invalidity Reason Flags

The following flags are used to specify why a certificate is invalid. These values are used by the cRLReason parameter in the functions NPKIT_VerifyCertChain, NPKIT_VerifyCertChainWithCallback, and NPKIT_VerifyCertChain.

Value	Name	Description
0x0000000	NPKIx509CertificateValid	The certificate is valid.
0x0000001	NPKIx509Invalid_System_Error	Hardware or network problems were encountered.
0x0000002	NPKIx509Invalid_Decode_Error	There was a problem decoding the certificate.
0x0000003	NPKIx509Invalid_Subject_Issuer_Name	The subject name of the issuing certificate does not match the issuer name of subject certificate.
0x0000004	NPKIx509Invalid_Future	The certificate’s start date is in the future.
0x0000005	NPKIx509Invalid_Expired	The certificate has expired.
0x0000006	NPKIx509Invalid_Issuer_Not_CA	The issuer is not a valid CA.
0x0000007	NPKIx509Invalid_Path_Length	The X.509 basic constraints path length has been violated.
0x0000008	NPKIx509Invalid_Unknown_Critical_Extension	The certificate contains a critical extension that can not be understood.
0x0000009	NPKIx509Invalid_KeyUsage	The key does not support the requested usage.
0x000000A	NPKIx509Invalid_CRL_Decode_Error	An error occurred during the decoding of the CRL.
0x000000B	NPKIx509Invalid_Certificate_On_CRL	One of the certificates in the chain is on a CRL.
0x000000C	NPKIx509Invalid_Cant_Process_CDP	The certificate contains a distribution point that can not be processed.
0x000000D	NPKIx509Invalid_Cant_Read_CRL	The CRL could not be read.
0x000000E	NPKIx509Invalid_Invalid_CRL	The CRL is not valid for this certificate.
0x000000F	NPKIx509Invalid_Expired_CRL	The CRL has expired and a new one has not been issued.
0x0000010	NPKIx509Invalid_CRL_Issuer_Name	The issuer name of the CRL identified in the certificate does not match the issuer name in the CRL retrieved.
0x0000011	NPKIx509Invalid_Issuer_Not_Trusted	One or more of the certificates in the certificate chain does not exist in the specified trusted root container. NOTE:This error code can only be returned by a call to NPKIVerifyCertificateWithTrustedRoots, and not any of the NPKIT functions.
0x0000012	NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL	(An advisory flag.) The CDP (Certificate Distribution Point) exists, but the CRL was not checked because you requested that it not be checked.
0x0000013	NPKIx509Invalid_Invalid_Signature	The signature of the CRL is invalid.

4.7.1 NPKIT_x509 CRL Distribution Point Reason Code

The following flags are used to specify why a CRL distribution point is invalid. These values are used by the reasons parameter in the function NPKIT_x509CRLDistributionPoint.

Value	Name	Description
0	PKI_UNSPECIFIED	The reason is not specified.
1	PKI_KEY_COMPROMISED	Invalid because the key was compromised.
2	PKI_CA_COMPROMISED	Invalid because the certificate authority was compromised.
3	PKI_AFFILIATION_CHANGED	Invalid because the certificate’s affiliation was inappropriately changed.
4	PKI_SUPERSEDED	Invalid because the certificate has been superseded.
5	PKI_CESSATION_OF_OPERATION	Invalid because the CA is no longer operational.
6	PKI_CERTIFICATE_HOLD	Invalid because the certificate has been placed on hold.
7	PKI_PRIVILEDGE_WITHDRAWN	Invalid because the user’s privileges have been withdrawn by the CA.
8	PKI_AA_COMPROMISE	Invalid because the certificate has been compromised.