IX509ExtensionEnhancedKeyUsage interface (certenroll.h)

The IX509ExtensionEnhancedKeyUsage interface can be used to define a collection of object identifiers (OIDs) that identify the intended uses of the public key contained in the certificate. The EnhancedKeyUsage extension can be used in addition to or in place of the KeyUsage extension. Also, the EnhancedKeyUsage extension and the MSApplicationPolicies extension defined by the IX509ExtensionMSApplicationPolicies interface are similar. The following syntax shows the Abstract Syntax Notation One (ASN.1) structure of the extension. The extension value is encoded by using Distinguished Encoding Rules (DER) and included in the certificate request.


----------------------------------------------------------------------
-- EnhancedKeyUsage
-- XCN_OID_ENHANCED_KEY_USAGE (2.5.29.37)
----------------------------------------------------------------------

EnhancedKeyUsage ::= SEQUENCE OF UsageIdentifier

UsageIdentifier ::= EncodedObjectID

You can define your own OIDs or use any of the following EKU OIDs. The list is not complete.

Value Description
XCN_OID_ANY_APPLICATION_POLICY(1.3.6.1.4.1.311.10.12.1) The applications that can use the certificate are not restricted.
XCN_OID_AUTO_ENROLL_CTL_USAGE(1.3.6.1.4.1.311.20.1) The certificate can be used to sign a request for automatic enrollment in a certificate trust list (CTL).
XCN_OID_DRM(1.3.6.1.4.1.311.10.5.1) The certificate can be used for digital rights management applications.
XCN_OID_DS_EMAIL_REPLICATION(1.3.6.1.4.1.311.21.19) The certificate can be used for Directory Service email replication.
XCN_OID_EFS_RECOVERY(1.3.6.1.4.1.311.10.3.4.1) The certificate can be used for recovery of documents protected by using Encrypting File System (EFS).
XCN_OID_EMBEDDED_NT_CRYPTO(1.3.6.1.4.1.311.10.3.8) The certificate can be used for Windows NT Embedded cryptography.
XCN_OID_ENROLLMENT_AGENT(1.3.6.1.4.1.311.20.2.1) The certificate can be used by an enrollment agent.
XCN_OID_IPSEC_KP_IKE_INTERMEDIATE(1.3.6.1.5.5.8.2.2) The certificate can be used for Internet Key Exchange (IKE).
XCN_OID_KP_CA_EXCHANGE(1.3.6.1.4.1.311.21.5) The certificate can be used for archiving a private key on a certification authority.
XCN_OID_KP_CTL_USAGE_SIGNING(1.3.6.1.4.1.311.10.3.1) The certificate can be used to sign a CTL.
XCN_OID_KP_DOCUMENT_SIGNING(1.3.6.1.4.1.311.10.3.12) The certificate can be used for signing documents.
XCN_OID_KP_EFS(1.3.6.1.4.1.311.10.3.4) The certificate can be used to encrypt files by using the Encrypting File System.
XCN_OID_KP_KEY_RECOVERY(1.3.6.1.4.1.311.10.3.11) The certificate can be used to encrypt and recover escrowed keys.
XCN_OID_KP_KEY_RECOVERY_AGENT(1.3.6.1.4.1.311.21.6) The certificate is used to identify a key recovery agent.
XCN_OID_KP_LIFETIME_SIGNING(1.3.6.1.4.1.311.10.3.13) Limits the validity period of a signature to the validity period of the certificate. This restriction is typically used with the XCN_OID_PKIX_KP_CODE_SIGNING OID value to indicate that new time stamp semantics should be used.
XCN_OID_KP_QUALIFIED_SUBORDINATION(1.3.6.1.4.1.311.10.3.10) The certificate can be used to sign cross certificate and subordinate certification authority certificate requests. Qualified subordination is implemented by applying basic constraints, certificate policies, and application policies. Cross certification typically requires policy mapping.
XCN_OID_KP_SMARTCARD_LOGON(1.3.6.1.4.1.311.20.2.2) The certificate enables an individual to log on to a computer by using a smart card.
XCN_OID_KP_TIME_STAMP_SIGNING(1.3.6.1.4.1.311.10.3.2) The certificate can be used to sign a time stamp to be added to a document. Time stamp signing is typically part of a time stamping service.
XCN_OID_LICENSE_SERVER(1.3.6.1.4.1.311.10.6.2) The certificate can be used by a license server when transacting with Microsoft to receive licenses for Terminal Services clients.
XCN_OID_LICENSES(1.3.6.1.4.1.311.10.6.1) The certificate can be used for key pack licenses.
XCN_OID_NT5_CRYPTO(1.3.6.1.4.1.311.10.3.7) The certificate can be used for Windows Server 2003, Windows XP, and Windows 2000 cryptography.
XCN_OID_OEM_WHQL_CRYPTO(1.3.6.1.4.1.311.10.3.7) The certificate can be used for used for Original Equipment Manufacturers (OEM) Windows Hardware Quality Labs (WHQL) cryptography.
XCN_OID_PKIX_KP_CLIENT_AUTH(1.3.6.1.5.5.7.3.2) The certificate can be used for authenticating a client.
XCN_OID_PKIX_KP_CODE_SIGNING(1.3.6.1.5.5.7.3.3) The certificate can be used for signing code.
XCN_OID_PKIX_KP_EMAIL_PROTECTION(1.3.6.1.5.5.7.3.4) The certificate can be used to encrypt email messages.
XCN_OID_PKIX_KP_IPSEC_END_SYSTEM(1.3.6.1.5.5.7.3.5) The certificate can be used for signing end-to-end Internet Protocol Security (IPSEC) communication.
XCN_OID_PKIX_KP_IPSEC_TUNNEL(1.3.6.1.5.5.7.3.6) The certificate can be used for singing IPSEC communication in tunnel mode.
XCN_OID_PKIX_KP_IPSEC_USER(1.3.6.1.5.5.7.3.7) The certificate can be used for an IPSEC user.
XCN_OID_PKIX_KP_OCSP_SIGNING(1.3.6.1.5.5.7.3.9) The certificate can be used for Online Certificate Status Protocol (OCSP) signing.
XCN_OID_PKIX_KP_SERVER_AUTH(1.3.6.1.5.5.7.3.1) The certificate can be used for OCSP authentication.
XCN_OID_PKIX_KP_TIMESTAMP_SIGNING(1.3.6.1.5.5.7.3.8) The certificate can be used for signing public key infrastructure timestamps.
XCN_OID_ROOT_LIST_SIGNER(1.3.6.1.4.1.311.10.3.9) The certificate can be used to sign a certificate root list.
XCN_OID_WHQL_CRYPTO(1.3.6.1.4.1.311.10.3.5) The certificate can be used for Windows Hardware Quality Labs (WHQL) cryptography.
 

To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see PKCS #10 Extensions and CMC Extensions.

Inheritance

The IX509ExtensionEnhancedKeyUsage interface inherits from IX509Extension. IX509ExtensionEnhancedKeyUsage also has these types of members:

Methods

The IX509ExtensionEnhancedKeyUsage interface has these methods.

 
IX509ExtensionEnhancedKeyUsage::get_EnhancedKeyUsage

Retrieves a collection of key usage object identifiers (OIDs).
IX509ExtensionEnhancedKeyUsage::InitializeDecode

Initializes the extension from a Distinguished Encoding Rules (DER) encoded byte array that contains the extension value. (IX509ExtensionEnhancedKeyUsage.InitializeDecode)
IX509ExtensionEnhancedKeyUsage::InitializeEncode

Initializes the extension from a collection of IObjectId object identifiers (OIDs) that specify the intended uses of the public key.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

Certificate Enrollment API

IX509Extension