이 콘텐츠는 한국어로 제공되지 않아 영어 버전으로 표시됩니다.


The CERT_USAGE_MATCH structure provides criteria for identifying issuer certificates to be used to build a certificate chain.


typedef struct _CERT_USAGE_MATCH {
  DWORD             dwType;



Determines the kind of issuer matching to be done. In AND logic, the certificate must meet all criteria. In OR logic, the certificate must meet at least one of the criteria. The following codes are defined to determine the logic used in the match. For more information about how this applied, see Remarks.


AND logic


OR logic


Default usage match logic is USAGE_MATCH_TYPE_AND.


CERT_ENHKEY_USAGE structure (CERT_ENHKEY_USAGE is an alternate typedef name for the CTL_USAGE structure) that includes an array of certificate object identifiers (OIDs) that a certificate must match in order to be valid.


If the dwType member is set to USAGE_MATCH_TYPE_OR, the Usage member cannot be empty.

If the dwType member is set to USAGE_MATCH_TYPE_AND, an empty Usage member means that any nested usage in the chain will work.

The following describes the behavior given two enhanced key usage (EKU) extensions EKU A and EKU B.

AND Logic

If the caller specifies EKU A AND EKU B then the target certificate is valid if EKU A and EKU B are supported by every certificate in the path (either by an explicit EKU setting or through an absent EKU extension in CA certificates.)

OR Logic

If the caller specifies EKU A OR EKU B then the target certificate is valid if either EKU A or EKU B is supported in the path.

Besides the simple case where the certificates in the path contain EKU A or EKU B, the OR clause has the following special evaluation.

Given the following path, the OR test is deemed valid:

CA 1: absent EKU extension
CA 2: EKU B in EKU extension
CA 3: EKU A in EKU extension
EE cert: EKU A in EKU extension

Although the intersection of the EKUs in the chain is an empty set, the use of the EE certificate is valid for EKU A because the request to the cryptography API specifies that the certificate is valid if each certificate of the path supports either EKU A OR EKU B.


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]