Export (0) Print
Expand All

ICertPolicy interface

The ICertPolicy interface provides communications between the Certificate Services server engine and the policy module.

Note  The policy module can communicate with the Certificate Services server engine by using the ICertServerPolicy interface.

The Certificate Services server engine calls the ICertPolicy methods to perform the following tasks:

  • Initialize the policy module.
  • Notify the policy module that a new request has entered the system. The policy module can then use the methods of the ICertServerPolicy interface to indicate that the request is good and should be issued, is bad and should be denied, or should be held for later consideration.
  • Retrieve a description of the policy module and its functionality.
  • Notify the policy module that the Certificate Services server is being terminated.

Policy modules should implement both ICertPolicy and ICertManageModule.

ICertPolicy is defined in Certpol.h. When you create your program, however, use Certsrv.h as the include file.

Certificate Services interfaces support both apartment-threading and free-threading models. For better throughput, free threading is recommended.

Inheritance

The ICertPolicy interface is extended by the ICertPolicy2 interface. All the methods defined by ICertPolicy are inherited by ICertPolicy2 and are documented under the newer interface.

Members

The ICertPolicy interface inherits from the IDispatch interface. ICertPolicy also has these types of members:

Methods

The ICertPolicy interface has these methods.

MethodDescription
GetDescription

Returns a human-readable description of the policy module and its function.

(Inherited from ICertPolicyCCertPolicy)
Initialize

Called by the server engine to allow the policy module to perform initialization tasks.

(Inherited from ICertPolicyCCertPolicy)
Shutdown

Called by the server engine before the server is terminated.

(Inherited from ICertPolicyCCertPolicy)
VerifyRequest

Notifies the policy module that a new request has entered the system.

(Inherited from ICertPolicyCCertPolicy)

 

Remarks

Only a stand-alone certification authority should use custom policy or exit modules; when running an enterprise certification authority, the use of Microsoft-provided policy and exit modules is strongly recommended.

Implementers of ICertPolicy should also implement ICertManageModule. Additionally, the ProgID for a class implementing ICertPolicy must conform to a naming convention. Specifically, the ProgID must be of the form:

"MyApp.Policy"

Where MyApp is a specifier that identifies the application. For example, in C++, the following code could be used in the DECLARE_REGISTRY macro of a class (CMyCertPolicyModule) which implements ICertPolicy.


DECLARE_REGISTRY(
    CMyCertPolicyModule,
    L"MyCode.Policy.1",
    L"MyCode.Policy",
    IDS_CERTPOLICYMODULE_DESC,
    THREADFLAGS_BOTH);

For the previous example, the IDS_CERTPOLICYMODULE_DESC value is an application-specific identifier in the resource file (.rc) for a string which describes the class.

String constants defined in Certmod.h can be used to simplify following the naming convention.

ConstantValue

wszCERTPOLICYMODULE_POSTFIX

TEXT(".Policy")

 

No more than one Visual Basic Scripting Edition policy module may be registered on the Certificate Services server at one time. If more than one such policy module is registered on the Certificate Services server, the Certification Authority MMC snap-in, Certificate Services application, or certutil command line program may produce errors. Note that the Visual Basic Scripting Edition development environment automatically registers a DLL when it is successfully built. As a result, you may encounter this situation when one Visual Basic Scripting Edition policy module is already registered and another Visual Basic Scripting Edition policy module is created. To avoid this situation, you must unregister one of the Visual Basic Scripting Edition policy modules, by using the command-line instruction regsvr32 /u FileName.dll, where FileName.dll is the name of the Visual Basic Scripting Edition policy module that you do not intend to make active.

Implementers of ICertPolicy in Visual Basic Scripting Edition must name their project in the form:

"MyApp"

Where MyApp is a specifier that identifies the application; further, the class implementing ICertPolicy must be named "Policy".

Requirements

Minimum supported client

None supported

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Certpol.h (include Certsrv.h)

Library

Certidl.lib

IID

IID_ICertPolicy is defined as 38bb5a00-7636-11d0-b413-00a0c91bbf8c

 

 

Community Additions

ADD
Show:
© 2014 Microsoft