CertGetCRLFromStore function (wincrypt.h)

The CertGetCRLFromStore function gets the first or next certificate revocation list (CRL) context from the certificate store for the specified issuer. The function also performs the enabled verification checks on the CRL. The new Certificate Chain Verification Functions are recommended instead of this function.


  [in]           HCERTSTORE     hCertStore,
  [in, optional] PCCERT_CONTEXT pIssuerContext,
  [in]           PCCRL_CONTEXT  pPrevCrlContext,
  [in, out]      DWORD          *pdwFlags


[in] hCertStore

Handle of a certificate store.

[in, optional] pIssuerContext

A pointer to an issuer CERT_CONTEXT. The pIssuerContext pointer can come from this store or another store, or could have been created by the calling CertCreateCertificateContext. If NULL is passed for this parameter, all the CRLs in the store are found.

[in] pPrevCrlContext

A pointer to a CRL_CONTEXT. An issuer can have multiple CRLs. For example, it can generate delta CRLs by using an X.509 version 3 extension. This parameter must be NULL on the first call to get the CRL. To get the next CRL for the issuer, the parameter is set to the CRL_CONTEXT returned by a previous call. A non-NULLpPrevCrlContext is always freed by this function by calling CertFreeCRLContext, even for an error.

[in, out] pdwFlags

The following flag values are defined to enable verification checks on the returned CRL. These flags can be combined using a bitwise-OR operation.

Value Meaning
Uses the public key in the issuer's certificate to verify the signature on the returned CRL.
Gets the current time and verifies that it is within the time between the CRL's ThisUpdate and NextUpdate.
Gets a base CRL.
Gets a delta CRL.

If an enabled verification check succeeds, its flag is set to zero.

If an enabled verification check fails, its flag remains set upon return. If pIssuerContext is NULL, then an enabled CERT_STORE_SIGNATURE_FLAG always fails and the CERT_STORE_NO_ISSUER_FLAG is also set. For more details, see Remarks.

If only one of CERT_STORE_BASE_CRL_FLAG or CERT_STORE_DELTA_CRL_FLAG is set, this function returns either a base or delta CRL and the appropriate base or delta flag will be cleared on return. If both flags are set, only one of the flags will be cleared.

For a verification check failure, a pointer to the first or next CRL_CONTEXT is still returned and GetLastError is not updated.

Return value

If the function succeeds, the return value is a pointer to a read-only CRL_CONTEXT.

If the function fails and the first or next CRL is not found, the return value is NULL.

The returned CRL_CONTEXT must be freed by calling CertFreeCRLContext. However, when the returned CRL_CONTEXT is supplied for pPrevCrlContext on a subsequent call, the function frees it.

For extended error information, call GetLastError. Some possible error codes follow.

Value Description
The handle in the hCertStore parameter is not the same as that in the CRL context pointed to by the pPrevCrlContext parameter, or an unsupported flag was set in pdwFlags.
Either no CRLs existed in the store for the issuer, or the function reached the end of the store's list.


CertDuplicateCRLContext can be called to make a duplicate CRL.

The hexadecimal values of the flags can be combined using a bitwise-OR operation to enable both verifications. For example, to enable both verifications, the DWORD value pointed to by pdwFlags is set to value CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG. If the CERT_STORE_SIGNATURE_FLAG verification succeeded, but CERT_STORE_TIME_VALIDITY_FLAG verification failed, the DWORD value pointed to by pdwFlags is set to CERT_STORE_TIME_VALIDITY_FLAG when the function returns.


Minimum supported client Windows XP [desktop apps | UWP apps]
Minimum supported server Windows Server 2003 [desktop apps | UWP apps]
Target Platform Windows
Header wincrypt.h
Library Crypt32.lib
DLL Crypt32.dll

See also






Certificate Revocation List Functions