You can use the IX509Extension interface to define an arbitrary extension. The Certificate Enrollment API also provides interfaces derived from IX509Extension to enable you to easily create any of the most common extensions. The following list identifies the common extensions supported by Microsoft certification authorities, and the object identifiers and interfaces that you can use to create them.
AlternativeNames
The alternative names extension can be used to define one or more alternative name forms for the subject of the certificate request. Example alternative forms include email addresses, DNS names, IP addresses, and URIs.
The authority key identifier extension enables identification of the CA public key that corresponds to the CA private key that signed an issued certificate. It is used by certificate path building software on a Windows server to find the CA certificate. When a CA issues a certificate, the extension value is set equal to the SubjectKeyIdentifier extension in the CA signing certificate. The value is typically a SHA-1 hash of the public key.
The basic constraints extension can be used to identify whether the entity can be used as a certification authority (CA) and, if so, the number of subordinate CAs that can exist beneath it in the certificate chain.
The certificate policies extension can be used to identify the policies under which the certificate has been issued and the purposes for it can be used. These are identified by a collection of object identifiers (OIDs). Policies are customized for the requirements of an organization.
The freshest CRL extension contains the URI of the delta CRL. The same ASN.1 syntax is used for this extension and the CrlDistributionPoints extension.
The key usage extension can be used to define restrictions on the operations that can be performed by the public key contained in the certificate. For example, you can specify that the public key be used only to create a digital signature, sign a certificate revocation list (CRL), or encrypt another key.
The Microsoft application policies extension can be used by an application to filter certificates on the basis of permitted use. Permitted uses are identified by OIDs. This extension is similar to the EnhancedKeyUsage extension but with stricter semantics applied to the parent CA. The extension is Microsoft specific. For non-Windows-based verifiers that do not support this extension, this extension can be ignored—even when marked critical—if the ExtendedKeyUsage extension is also present.
The name constraints extension is used to identify the namespace within which all subject names of certificates in a certificate hierarchy must be located. The extension is used only in a CA certificate.
The policy constraints extension is added to CA certificates to constrain path validation by prohibiting policy mapping or by requiring that each certificate in the hierarchy contain an acceptable policy identifier.
The policy mappings extension is used to identify the policies in a subordinate CA that correspond to policies in the issuing CA. The extension value contains a sequence of issuing CA and subordinate CA policy mappings represented by object identifiers.
The private key usage period extension is used to specify a different validity period for the private key than for the certificate with which the key is associated.
The Secure/Multipurpose Internet Mail Extensions (S/MIME) capabilities extension can be used to report an email recipient's decryption capabilities to the sender of the email message so that the sender can choose the most secure encryption algorithm supported by both parties. The extension value contains a collection of symmetric encryption algorithm OIDs and an optional encryption strength for each.
The subject directory attributes extension can be used to convey identification attributes such as the nationality of the certificate subject. The extension value is a sequence of OID-value pairs.
The subject key identifier extension can be used to differentiate between multiple public keys held by the certificate subject. The extension value is typically a SHA-1 hash of the key.
The template extension can be used to identify the version 2 template to use when issuing or renewing a certificate. The extension value contains the template OID and optional version information. The extension is Microsoft specific.
The template name extension can be used to identify the version 1 template to use when issuing or renewing a certificate. The extension value contains the name of the template. The extension is Microsoft specific.
Finance and operations apps are customized by using extensions, which let you add functionality to model elements and source code in the Application Object Tree (AOT) by using Visual Studio.