Supported Extensions
You can use the IX509Extension interface to define an arbitrary extension. The Certificate Enrollment API also provides interfaces derived from IX509Extension to enable you to easily create any of the most common extensions. The following list identifies the common extensions supported by Microsoft certification authorities, and the object identifiers and interfaces that you can use to create them.
AlternativeNames
The alternative names extension can be used to define one or more alternative name forms for the subject of the certificate request. Example alternative forms include email addresses, DNS names, IP addresses, and URIs.
Interface: IX509ExtensionAlternativeNames
OID: XCN_OID_SUBJECT_ALT_NAME2 (2.5.29.17)
AuthorityInformationAccess
The authority information access extension identifies how to access CA information and services. The extension value contains a sequence of URIs.
Interface: IX509Extension
OID: XCN_OID_AUTHORITY_INFO_ACCESS (1.3.6.1.5.5.7.1.1)
AuthorityKeyIdentifier
The authority key identifier extension enables identification of the CA public key that corresponds to the CA private key that signed an issued certificate. It is used by certificate path building software on a Windows server to find the CA certificate. When a CA issues a certificate, the extension value is set equal to the SubjectKeyIdentifier extension in the CA signing certificate. The value is typically a SHA-1 hash of the public key.
Interface: IX509ExtensionAuthorityKeyIdentifier
OID: XCN_OID_AUTHORITY_KEY_IDENTIFIER2 (2.5.29.35)
BasicConstraints
The basic constraints extension can be used to identify whether the entity can be used as a certification authority (CA) and, if so, the number of subordinate CAs that can exist beneath it in the certificate chain.
Interface: IX509ExtensionBasicConstraints
OID: XCN_OID_BASIC_CONSTRAINTS2 (2.5.29.19)
CertificatePolicies
The certificate policies extension can be used to identify the policies under which the certificate has been issued and the purposes for it can be used. These are identified by a collection of object identifiers (OIDs). Policies are customized for the requirements of an organization.
Interface: IX509ExtensionCertificatePolicies
OID: XCN_OID_CERT_POLICIES (2.5.29.32)
CrlDistributionPoints
The certificate revocation list (CRL) distribution points extension contains the URI of the base certificate revocation list (CRL).
Interface: IX509Extension
OID: XCN_OID_CRL_DIST_POINTS (2.5.29.31)
EnhancedKeyUsage
The enhanced key usage extension can be used to define one or more uses of the public key contained in the certificate.
Interface: IX509ExtensionEnhancedKeyUsage
OID: XCN_OID_ENHANCED_KEY_USAGE (2.5.29.37)
FreshestCRL
The freshest CRL extension contains the URI of the delta CRL. The same ASN.1 syntax is used for this extension and the CrlDistributionPoints extension.
Interface: IX509Extension
OID: XCN_OID_FRESHEST_CRL (2.5.29.46)
KeyUsage
The key usage extension can be used to define restrictions on the operations that can be performed by the public key contained in the certificate. For example, you can specify that the public key be used only to create a digital signature, sign a certificate revocation list (CRL), or encrypt another key.
Interface: IX509ExtensionKeyUsage
OID: XCN_OID_KEY_USAGE (2.5.29.15)
MSApplicationPolicies
The Microsoft application policies extension can be used by an application to filter certificates on the basis of permitted use. Permitted uses are identified by OIDs. This extension is similar to the EnhancedKeyUsage extension but with stricter semantics applied to the parent CA. The extension is Microsoft specific. For non-Windows-based verifiers that do not support this extension, this extension can be ignored—even when marked critical—if the ExtendedKeyUsage extension is also present.
Interface: IX509ExtensionMSApplicationPolicies
OID: XCN_OID_APPLICATION_CERT_POLICIES (1.3.6.1.4.1.311.21.10)
NameConstraints
The name constraints extension is used to identify the namespace within which all subject names of certificates in a certificate hierarchy must be located. The extension is used only in a CA certificate.
Interface: IX509Extension
OID: XCN_OID_NAME_CONSTRAINTS (2.5.29.30)
PolicyConstraints
The policy constraints extension is added to CA certificates to constrain path validation by prohibiting policy mapping or by requiring that each certificate in the hierarchy contain an acceptable policy identifier.
Interface: IX509Extension
OID: XCN_OID_POLICY_CONSTRAINTS (2.5.29.36)
PolicyMappings
The policy mappings extension is used to identify the policies in a subordinate CA that correspond to policies in the issuing CA. The extension value contains a sequence of issuing CA and subordinate CA policy mappings represented by object identifiers.
Interface: IX509Extension
OID: XCN_OID_POLICY_MAPPINGS (2.5.29.33)
PrivateKeyUsagePeriod
The private key usage period extension is used to specify a different validity period for the private key than for the certificate with which the key is associated.
Interface: IX509Extension
OID: XCN_OID_PRIVATEKEY_USAGE_PERIOD (2.5.29.16)
SmimeCapabilities
The Secure/Multipurpose Internet Mail Extensions (S/MIME) capabilities extension can be used to report an email recipient's decryption capabilities to the sender of the email message so that the sender can choose the most secure encryption algorithm supported by both parties. The extension value contains a collection of symmetric encryption algorithm OIDs and an optional encryption strength for each.
Interface: IX509ExtensionSmimeCapabilities
OID: XCN_OID_RSA_SMIMECapabilities (1.2.840.113549.1.9.15)
SubjectDirectoryAttributes
The subject directory attributes extension can be used to convey identification attributes such as the nationality of the certificate subject. The extension value is a sequence of OID-value pairs.
Interface: IX509Extension
OID: XCN_OID_SUBJECT_DIR_ATTRS (2.5.29.9)
SubjectKeyIdentifier
The subject key identifier extension can be used to differentiate between multiple public keys held by the certificate subject. The extension value is typically a SHA-1 hash of the key.
Interface: IX509ExtensionSubjectKeyIdentifier
OID: XCN_OID_SUBJECT_KEY_IDENTIFIER (2.5.29.14)
Template
The template extension can be used to identify the version 2 template to use when issuing or renewing a certificate. The extension value contains the template OID and optional version information. The extension is Microsoft specific.
Interface: IX509ExtensionTemplate
OID: XCN_OID_CERTIFICATE_TEMPLATE (1.3.6.1.4.1.311.21.7)
TemplateName
The template name extension can be used to identify the version 1 template to use when issuing or renewing a certificate. The extension value contains the name of the template. The extension is Microsoft specific.
Interface: IX509ExtensionTemplateName
OID: XCN_OID_ENROLL_CERTTYPE_EXTENSION (1.3.6.1.4.1.311.20.2)
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for