Important:
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
A version of this page is also available for
4/8/2010

This function performs the enabled verification checks on a certificate by checking the validity of the certificate's issuer. The new certificate chain verification functions are recommended instead this function.

Syntax 

BOOL WINAPI CertVerifySubjectCertificateContext(
  PCCERT_CONTEXT 
pSubject, 
  PCCERT_CONTEXT 
pIssuer, 
  DWORD* 
pdwFlags
);

Parameters

pSubject

[in] Pointer to a CERT_CONTEXTstructure containing the subject's certificate.

pIssuer

[in] Optional. Pointer to a CERT_CONTEXTstructure containing the issuer's certificate. When checking just CERT_STORE_TIME_VALIDITY_FLAG, the pIssuerparameter can be NULL.

pdwFlags

[in, out] On input, pointer to a DWORDthat contains verification check flags. The following table shows flags that can be set to enable verification checks on the subject certificate. The flags can be combined using a bitwise ORoperation to enable multiple verifications.

Value Description

CERT_STORE_SIGNATURE_FLAG

Uses the public key in the issuer's certificate to verify the signature on the subject certificate.

CERT_STORE_TIME_VALIDITY_FLAG

Gets the current time and verifies that it is within the subject certificate's validity period.

If an enabled verification check succeeds, its flag is set to zero. If it fails, then its flag is set on output.

If CERT_STORE_REVOCATION_FLAG is enabled and the issuer does not have a CRL in the store, then CERT_STORE_NO_CRL_FLAG is set in addition to CERT_STORE_REVOCATION_FLAG.

Return Value

If the function succeeds, the return value is TRUE.

If the function fails, the return value is FALSE.

For a verification check failure, TRUE is still returned. FALSE is returned only when a bad parameter is passed in.

For extended error information, call the GetLastErrorfunction. The GetLastErrorfunction can return E_INVALIDARG, which means that an unsupported bit was set in the pdwFlagsparameter. Any combination of CERT_STORE_SIGNATURE_FLAG, CERT_STORE_TIME_VALIDITY_FLAG, and CERT_STORE_REVOCATION_FLAG can be set. If the pIssuerparameter is NULL, only CERT_STORE_TIME_VALIDITY_FLAG can be set.

Remarks

The hexadecimal value of the flags can be combined using bitwise ORoperations to enable multiple verifications. For example, to enable both signature and time validity, place the CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG value in the pdwFlags  DWORDas an input parameter. If CERT_STORE_SIGNATURE_FLAG verification succeeds, but CERT_STORE_TIME_VALIDITY_FLAG verification fails, the pdwFlagsparameter is set to CERT_STORE_TIME_VALIDITY_FLAG when the function returns.

Requirements

Header wincrypt.h
Library crypt32.lib
Windows Embedded CE Windows CE 3.0 and later
Windows Mobile Windows Mobile Version 5.0 and later

See Also