CertificateEngine.Internal uses our custom certificate validator to validate certificate chain and to check revocation status of its certificates. The error is related to the CRL parser (part of the revocation status check), which means the error will always arise when you explicitly use
CertificateEngine.Internal (note: if you use
ValidationOptions.SkipRevocationCheck the error will not be thrown because the CRL parsing routine will be skipped).
If you use
CertificateEngine.Default, the certificate chain (and revocation status) is validated by native certificate validator at first. However, our custom validator is used automatically on devices where native validator failed - for example on devices with lack of SHA-2 support.
This means, that device A was not able to validate certificate chain using the native validator. In such case, our custom validator was used and failed during CRL parsing.
On device B the native validator was able to validate the certificate chain, so our custom validator was not used and the error was not thrown (or the CRL was not parsed for example due to usage of the
CertificateChainEngine is some extra thing here. The idea is:
all certificates are validated by the globally set
CertificateEngine, but you can validate particular chains using your preferred engine by specifying the
Example of use:
You can set
CertificateEngine.Internal to validate all "unknown" certificates by custom validator to be able to log the validation process in very details.
And you can use
chain.Validate(..., CertificateChainEngine.CurrentUser) to validate "well-known" certificates by native validator to make the validation as fast as possible without need to reset global