ICertificatePolicy interface (certenroll.h)

The ICertificatePolicy interface can be used to specify a certificate policy that identifies a purpose for which the certificate can be used. The policies are collected into an ICertificatePolicies object that you can use to initialize an IX509ExtensionCertificatePolicies or IX509ExtensionMSApplicationPolicies object.

The following syntax shows the Abstract Syntax Notation One (ASN.1) structure used by both extension objects. The extension values are encoded by using Distinguished Encoding Rules (DER) and included in the certificate request. A certificate policies collection consists of a sequence of object identifiers (OIDs) and optional sequence of policy qualifiers for each policy OID.

Note  Policy qualifiers, defined by the IPolicyQualifier interface, are used by a CertificatePolicies extension but not by an MSApplicationPolicies extension.


-- CertificatePolicies

CertificatePolicies ::= SEQUENCE OF PolicyInformation

PolicyInformation ::= SEQUENCE 
   policyIdentifier    EncodedObjectID,
   policyQualifiers    PolicyQualifiers OPTIONAL

PolicyQualifiers ::=  SEQUENCE OF PolicyQualifierInfo

PolicyQualifierInfo ::= SEQUENCE 
   policyQualifierId   EncodedObjectID,
   qualifier           NOCOPYANY OPTIONAL

Issuance policies, defined by an IX509ExtensionCertificatePolicies object, identify the extent to which the identity presented in the certificate is trusted. The following policies are predefined. The x.y.z portion of each OID represents a randomly generated numeric sequence that is unique for each forest. You can also create custom OIDs to represent custom issuance policies.

Policy Description
All Issuance( Contains all other policies. This is typically assigned only to certification authority certificates. The OID is XCN_OID_ANY_CERT_POLICY.
Low Assurance( Indicates that a certificate is issued with no additional security requirements.
Medium Assurance ( Indicates that a certificate issuance has additional security requirements. For example, the policy might require that the certificate subject physically appear before the certification authority.
High Assurance ( Indicates that the certificate is issued with the highest security. For example, the issuance of a key recovery agent certificate can require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from the CA.

Application policies, defined by an IX509ExtensionMSApplicationPolicies object, enable an application to filter certificates by comparing the policy OIDs it will accept to the policy OIDs contained in the certificate. The MSApplicationPolicies extension is very similar to the EnhancedKeyUsage extension but is often used for policy mapping.


The ICertificatePolicy interface inherits from the IDispatch interface. ICertificatePolicy also has these types of members:


The ICertificatePolicy interface has these methods.


Retrieves an object identifier (OID) for the policy object.

Retrieves a collection of optional policy qualifiers that can be applied to a certificate policy.

Initializes the object from an object identifier (OID).


Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

CertEnroll Interfaces