ICertificatePolicy interface (certenroll.h)
The ICertificatePolicy interface can be used to specify a certificate policy that identifies a purpose for which the certificate can be used. The policies are collected into an ICertificatePolicies object that you can use to initialize an IX509ExtensionCertificatePolicies or IX509ExtensionMSApplicationPolicies object.
The following syntax shows the Abstract Syntax Notation One (ASN.1) structure used by both extension objects. The extension values are encoded by using Distinguished Encoding Rules (DER) and included in the certificate request. A certificate policies collection consists of a sequence of object identifiers (OIDs) and optional sequence of policy qualifiers for each policy OID.
----------------------------------------------------------------------
-- CertificatePolicies
-- XCN_OID_CERT_POLICIES (2.5.29.32)
----------------------------------------------------------------------
CertificatePolicies ::= SEQUENCE OF PolicyInformation
PolicyInformation ::= SEQUENCE
{
policyIdentifier EncodedObjectID,
policyQualifiers PolicyQualifiers OPTIONAL
}
PolicyQualifiers ::= SEQUENCE OF PolicyQualifierInfo
PolicyQualifierInfo ::= SEQUENCE
{
policyQualifierId EncodedObjectID,
qualifier NOCOPYANY OPTIONAL
}
Issuance policies, defined by an IX509ExtensionCertificatePolicies object, identify the extent to which the identity presented in the certificate is trusted. The following policies are predefined. The x.y.z portion of each OID represents a randomly generated numeric sequence that is unique for each forest. You can also create custom OIDs to represent custom issuance policies.
| Policy | Description |
|---|---|
| All Issuance(2.5.29.32.0) | Contains all other policies. This is typically assigned only to certification authority certificates. The OID is XCN_OID_ANY_CERT_POLICY. |
| Low Assurance(1.3.6.1.4.1.311.21.8.x.y.z.1.400) | Indicates that a certificate is issued with no additional security requirements. |
| Medium Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.401) | Indicates that a certificate issuance has additional security requirements. For example, the policy might require that the certificate subject physically appear before the certification authority. |
| High Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.402) | Indicates that the certificate is issued with the highest security. For example, the issuance of a key recovery agent certificate can require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from the CA. |
Application policies, defined by an IX509ExtensionMSApplicationPolicies object, enable an application to filter certificates by comparing the policy OIDs it will accept to the policy OIDs contained in the certificate. The MSApplicationPolicies extension is very similar to the EnhancedKeyUsage extension but is often used for policy mapping.
Inheritance
The ICertificatePolicy interface inherits from the IDispatch interface. ICertificatePolicy also has these types of members:
Methods
The ICertificatePolicy interface has these methods.
| ICertificatePolicy::get_ObjectId Retrieves an object identifier (OID) for the policy object. |
| ICertificatePolicy::get_PolicyQualifiers Retrieves a collection of optional policy qualifiers that can be applied to a certificate policy. |
| ICertificatePolicy::Initialize Initializes the object from an object identifier (OID). |
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows Vista [desktop apps only] |
| Minimum supported server | Windows Server 2008 [desktop apps only] |
| Target Platform | Windows |
| Header | certenroll.h |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for