ICertificatePolicy interface (certenroll.h)

The ICertificatePolicy interface can be used to specify a certificate policy that identifies a purpose for which the certificate can be used. The policies are collected into an ICertificatePolicies object that you can use to initialize an IX509ExtensionCertificatePolicies or IX509ExtensionMSApplicationPolicies object.

The following syntax shows the Abstract Syntax Notation One (ASN.1) structure used by both extension objects. The extension values are encoded by using Distinguished Encoding Rules (DER) and included in the certificate request. A certificate policies collection consists of a sequence of object identifiers (OIDs) and optional sequence of policy qualifiers for each policy OID.

Note  Policy qualifiers, defined by the IPolicyQualifier interface, are used by a CertificatePolicies extension but not by an MSApplicationPolicies extension.

 

----------------------------------------------------------------------
-- CertificatePolicies
-- XCN_OID_CERT_POLICIES (2.5.29.32)
----------------------------------------------------------------------

CertificatePolicies ::= SEQUENCE OF PolicyInformation

PolicyInformation ::= SEQUENCE 
{
   policyIdentifier    EncodedObjectID,
   policyQualifiers    PolicyQualifiers OPTIONAL
}

PolicyQualifiers ::=  SEQUENCE OF PolicyQualifierInfo

PolicyQualifierInfo ::= SEQUENCE 
{
   policyQualifierId   EncodedObjectID,
   qualifier           NOCOPYANY OPTIONAL
}

Issuance policies, defined by an IX509ExtensionCertificatePolicies object, identify the extent to which the identity presented in the certificate is trusted. The following policies are predefined. The x.y.z portion of each OID represents a randomly generated numeric sequence that is unique for each forest. You can also create custom OIDs to represent custom issuance policies.

Policy Description
All Issuance(2.5.29.32.0) Contains all other policies. This is typically assigned only to certification authority certificates. The OID is XCN_OID_ANY_CERT_POLICY.
Low Assurance(1.3.6.1.4.1.311.21.8.x.y.z.1.400) Indicates that a certificate is issued with no additional security requirements.
Medium Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.401) Indicates that a certificate issuance has additional security requirements. For example, the policy might require that the certificate subject physically appear before the certification authority.
High Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.402) Indicates that the certificate is issued with the highest security. For example, the issuance of a key recovery agent certificate can require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from the CA.
 

Application policies, defined by an IX509ExtensionMSApplicationPolicies object, enable an application to filter certificates by comparing the policy OIDs it will accept to the policy OIDs contained in the certificate. The MSApplicationPolicies extension is very similar to the EnhancedKeyUsage extension but is often used for policy mapping.

Inheritance

The ICertificatePolicy interface inherits from the IDispatch interface. ICertificatePolicy also has these types of members:

Methods

The ICertificatePolicy interface has these methods.

 
ICertificatePolicy::get_ObjectId

Retrieves an object identifier (OID) for the policy object.
ICertificatePolicy::get_PolicyQualifiers

Retrieves a collection of optional policy qualifiers that can be applied to a certificate policy.
ICertificatePolicy::Initialize

Initializes the object from an object identifier (OID).

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

CertEnroll Interfaces

ICertificatePolicies

IDispatch

IX509ExtensionCertificatePolicies