IX509ExtensionCertificatePolicies interface (certenroll.h)

The IX509ExtensionCertificatePolicies interface enables you to specify a collection of policy information terms, each of which consists of an object identifier (OID) and optional policy qualifiers. A single policy term is defined by an ICertificatePolicy object. The following syntax shows the Abstract Syntax Notation One (ASN.1) structure of the extension. The extension value is encoded by using Distinguished Encoding Rules (DER) and included in the certificate request.

-- CertificatePolicies

CertificatePolicies ::= SEQUENCE OF PolicyInformation

PolicyInformation ::= SEQUENCE 
   policyIdentifier    EncodedObjectID,
   policyQualifiers    PolicyQualifiers OPTIONAL

PolicyQualifiers ::=  SEQUENCE OF PolicyQualifierInfo

PolicyQualifierInfo ::= SEQUENCE 
   policyQualifierId   EncodedObjectID,
   qualifier           NOCOPYANY OPTIONAL

-- UserNotice qualifier

UserNotice ::= SEQUENCE 
   noticeRef,      -- Not supported
   explicitText    -- Not supported

-- Certification Practice Statement (CPS) qualifier

   url                 IA5String,
   digestAlgorithmId,  -- Not supported
   digest              -- Not supported

-- CertificatePolicies95, XCN_OID_CERT_POLICIES_95 (,
-- supports the deprecated definition of policies and qualifiers.

CertificatePolicies95 ::= SEQUENCE OF PolicyQualifiers
When included in a certificate issued to an end entity, this extension identifies the policies under which the certificate was issued and the purposes for which the certificate can be used. Applications that have specific policy requirements should compare these to the collection of policy object identifiers (OIDs) in the certificate.

When included in a certification authority certificate, this extension limits the set of policies for the certification paths extending from the certification authority certificate. If a certification authority does not want to limit this set, it can assert XCN_OID_ANY_CERT_POLICY (

This extension is supported on Windows Server 2003 and later certification authorities. The following policies are predefined. The x.y.z portion of each OID represents a randomly generated numeric sequence that is unique for each forest. You can also create custom OIDs to represent custom issuance policies.

Policy Description
All Issuance( Contains all other policies. This is typically assigned only to certification authority certificates. The OID is XCN_OID_ANY_CERT_POLICY.
Low Assurance( Indicates that a certificate is issued with no additional security requirements.
Medium Assurance ( Indicates that a certificate issuance has additional security requirements. For example, the policy might require that the certificate subject physically appear before the certification authority.
High Assurance ( Indicates that the certificate is issued with the highest security. For example, the issuance of a key recovery agent certificate can require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from the certification authority.

Policy qualifiers can be used when an OID is considered insufficient to fully identify a policy. Qualifiers are defined by using the IPolicyQualifier interface and can be associated with a policy by adding qualifiers to the IPolicyQualifiers collection retrieved from an ICertificatePolicy object. A Windows certification authority supports the following qualifiers.

Value Description
XCN_OID_PKIX_POLICY_QUALIFIER_USERNOTICE( Contains a notice to be displayed to any user who relies on the certificate.
XCN_OID_PKIX_POLICY_QUALIFIER_CPS( Identifies a pointer to a URI that contains the Certification Practice Statement (CPS) defined by the certification authority.

To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see the PKCS #10 Extensions and the CMC Extensions topics.


The IX509ExtensionCertificatePolicies interface inherits from IX509Extension. IX509ExtensionCertificatePolicies also has these types of members:


The IX509ExtensionCertificatePolicies interface has these methods.


Retrieves a collection of certificate policies.

Initializes the object from a Distinguished Encoding Rules (DER) encoded byte array that contains the extension value.

Initializes the object from an ICertificatePolicies collection.


Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

Certificate Enrollment API