ICertificatePolicy interface

The ICertificatePolicy interface can be used to specify a certificate policy that identifies a purpose for which the certificate can be used. The policies are collected into an ICertificatePolicies object that you can use to initialize an IX509ExtensionCertificatePolicies or IX509ExtensionMSApplicationPolicies object.

The following syntax shows the Abstract Syntax Notation One (ASN.1) structure used by both extension objects. The extension values are encoded by using Distinguished Encoding Rules (DER) and included in the certificate request. A certificate policies collection consists of a sequence of object identifiers (OIDs) and optional sequence of policy qualifiers for each policy OID.

Note  Policy qualifiers, defined by the IPolicyQualifier interface, are used by a CertificatePolicies extension but not by an MSApplicationPolicies extension.

-- CertificatePolicies

CertificatePolicies ::= SEQUENCE OF PolicyInformation

PolicyInformation ::= SEQUENCE 
   policyIdentifier    EncodedObjectID,
   policyQualifiers    PolicyQualifiers OPTIONAL

PolicyQualifiers ::=  SEQUENCE OF PolicyQualifierInfo

PolicyQualifierInfo ::= SEQUENCE 
   policyQualifierId   EncodedObjectID,
   qualifier           NOCOPYANY OPTIONAL

Issuance policies, defined by an IX509ExtensionCertificatePolicies object, identify the extent to which the identity presented in the certificate is trusted. The following policies are predefined. The x.y.z portion of each OID represents a randomly generated numeric sequence that is unique for each forest. You can also create custom OIDs to represent custom issuance policies.

All Issuance


Contains all other policies. This is typically assigned only to certification authority certificates. The OID is XCN_OID_ANY_CERT_POLICY.
Low Assurance


Indicates that a certificate is issued with no additional security requirements.
Medium Assurance


Indicates that a certificate issuance has additional security requirements. For example, the policy might require that the certificate subject physically appear before the certification authority.
High Assurance


Indicates that the certificate is issued with the highest security. For example, the issuance of a key recovery agent certificate can require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from the CA.


Application policies, defined by an IX509ExtensionMSApplicationPolicies object, enable an application to filter certificates by comparing the policy OIDs it will accept to the policy OIDs contained in the certificate. The MSApplicationPolicies extension is very similar to the EnhancedKeyUsage extension but is often used for policy mapping.


The ICertificatePolicy interface inherits from the IDispatch interface. ICertificatePolicy also has these types of members:


The ICertificatePolicy interface has these methods.


Initializes the object from an OID.



The ICertificatePolicy interface has these properties.



Retrieves an OID for the policy object.


Retrieves a collection of optional policy qualifiers that can be applied to a certificate policy.



Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]





See also

CertEnroll Interfaces



Community Additions