IX509ExtensionBasicConstraints interface (certenroll.h)

The IX509ExtensionBasicConstraints interface enables you to specify whether the certificate subject is a certification authority and, if so, the depth of the subordinate certification authority chain that can exist beneath the certification authority for which this extension ID is defined. This extension must be marked Critical in any certification authority certificate that contains a public key used to validate a digital signature on a certificate. The following syntax shows the Abstract Syntax Notation One (ASN.1) structure of the extension. The extension value is encoded by using Distinguished Encoding Rules (DER) and is included in the certificate request.

-- Basic Constraints

BasicConstraints2 ::= SEQUENCE 
   cA                  BOOLEAN DEFAULT FALSE,
   pathLenConstraint   INTEGER OPTIONAL
To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see the PKCS #10 Extensions and the CMC Extensions topics.


The IX509ExtensionBasicConstraints interface inherits from IX509Extension. IX509ExtensionBasicConstraints also has these types of members:


The IX509ExtensionBasicConstraints interface has these methods.

Method Description
IX509ExtensionBasicConstraints::get_IsCA Retrieves a Boolean value that identifies whether the subject of the certificate is a certification authority (CA).
IX509ExtensionBasicConstraints::get_PathLenConstraint Retrieves the depth of the subordinate certification authority chain.
IX509ExtensionBasicConstraints::InitializeDecode Initializes the extension from a Distinguished Encoding Rules (DER) encoded byte array that contains the extension value.
IX509ExtensionBasicConstraints::InitializeEncode Initializes the extension from a Boolean value that indicates whether the certificate subject is a certification authority (CA) and an integer that contains the depth of the subordinate CA chain.


Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

Certificate Enrollment API