"NotTimeNested" not detected when doing chain validation

Hi all,

When doing certificate chain validation with X509Chain class in .NET, you may realize that the ChainStatus property doesn't return NotTimeNested, even if the certificate validity period is not nested in the issuing certificate validity period.

.NET is just showing the results of calling CertGetCertificateChain API behind the scenes. This API should have returned CERT_TRUST_IS_NOT_TIME_NESTED in the resultant CERT_CHAIN_CONTEXT.CERT_TRUST_STATUS struct. But it doesn't.

The reason is that CERT_TRUST_IS_NOT_TIME_NESTED error status is not supported anymore. We discontinued that check about a decade ago. 


Note that CERT_TRUST_IS_NOT_TIME_NESTED has already been removed from this MSDN article: CERT_TRUST_STATUS Structure.

Also note we won't be able to remove NotTimeNested from X509ChainStatusFlags documentation because the flag is part of an existing enumeration. So we will add a note stating that the value will never be set on X509ChainStatusFlags Enumeration docs for NET Framework 4.0 & NET Framework 3.5. .NET 2.0 pages are not being updated anymore. So there won’t be any changes on X509ChainStatusFlags Enumeration docs for NET Framework 2.0.

I hope this helps.



Alex (Alejandro Campos Magencio)



Comments (1)

  1. Frank says:



    As I tried on some not_time_nested certificate chain, this error is not returned after calling CertVerifyCertificateChainPolicy. Maybe just need update MSDN.

Skip to main content