IX509ExtensionKeyUsage interface (certenroll.h)

The IX509ExtensionKeyUsage interface can be used to define restrictions on the operations that can be performed by the public key contained in the certificate. This is the same purpose as that served by the EnhancedKeyUsage extension, but KeyUsage predates that extension and defines a more limited set of restrictions. The following syntax shows the Abstract Syntax Notation One (ASN.1) structure of the extension. The extension value is encoded by using Distinguished Encoding Rules (DER) and included in the certificate request.

-- KeyUsage

KeyUsageExtension ::= Bits

The possible restrictions are defined by using a bitwise-OR combination of the values in the X509KeyUsageFlags enumeration.

To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see the PKCS #10 Extensions and the CMC Extensions topics.


The IX509ExtensionKeyUsage interface inherits from IX509Extension. IX509ExtensionKeyUsage also has these types of members:


The IX509ExtensionKeyUsage interface has these methods.


Retrieves the restrictions placed on the public key.

Initializes the extension from a Distinguished Encoding Rules (DER) encoded byte array that contains the extension value. (IX509ExtensionKeyUsage.InitializeDecode)

Initializes the extension by using the X509KeyUsageFlags enumeration.


Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

Certificate Enrollment API