Hello,
The CertificateEngine.Internal
uses our custom certificate validator to validate certificate chain and to check revocation status of its certificates. The error is related to the CRL parser (part of the revocation status check), which means the error will always arise when you explicitly use CertificateEngine.Internal
(note: if you use ValidationOptions.SkipRevocationCheck
the error will not be thrown because the CRL parsing routine will be skipped).
If you use CertificateEngine.Default
, the certificate chain (and revocation status) is validated by native certificate validator at first. However, our custom validator is used automatically on devices where native validator failed - for example on devices with lack of SHA-2 support.
This means, that device A was not able to validate certificate chain using the native validator. In such case, our custom validator was used and failed during CRL parsing.
On device B the native validator was able to validate the certificate chain, so our custom validator was not used and the error was not thrown (or the CRL was not parsed for example due to usage of the ValidationOptions.SkipRevocationCheck
).
The CertificateChainEngine
is some extra thing here. The idea is:
all certificates are validated by the globally set CertificateEngine
, but you can validate particular chains using your preferred engine by specifying the CertificateChainEngine
argument.
Example of use:
You can set CertificateEngine.Internal
to validate all "unknown" certificates by custom validator to be able to log the validation process in very details.
And you can use chain.Validate(..., CertificateChainEngine.CurrentUser)
to validate "well-known" certificates by native validator to make the validation as fast as possible without need to reset global CertificateEngine
.