Dear all,

I was reading NPS-related certificate page on technet:

Certificate Requirements for PEAP and EAP

http://technet.microsoft.com/en-us/library/cc731363.aspx

I was going through this sentence:

The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2),and fails neither the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy nor the Certificate object identifier checks that are specified in IAS remote access policy or NPS network policy.

I asked the question to myself: actually what kind of checks are performed by CryptoAPI? Is there such a list, that non-developer type of ITpros can understand? Perhaps some PPT presentation from Microsoft, that lists what are the possible parameters, that can fail during a validation check.

For example:

• untrusted issuer or Root CA (in short: chain of trust is incomplete)
• common name in the certificate does not match the actual server FQDN
• actual server FQDN does not match any SAN entries of the certificate
  
• current date is before or after the certificate validity period (current date is before: not yet valid, or after: certificate expired)
  
• certificate has been explicitly revoked (checked via CRL solution)
  
• unsupported/unknown algorithm (for signature, encryption, hashing, etc.)
• expected EKU is missing from the certificate (for example the application expects the server EKU, but its not in the certificate)
• and anything else that may not even come to my mind

Is there such a list (I really hope the answer is "yes!"). Again, I am not a developer, I need to understand the scenarios where a certificate is marked via CryptoAPI as non-usable.

Thanks!