IX509ExtensionMSApplicationPolicies interface (certenroll.h)

The IX509ExtensionMSApplicationPolicies interface enables you to specify a collection of object identifiers (OIDs) that indicate how a certificate can be used by an application. It is therefore similar to the EnhancedKeyUsage (EKU) extension. You can define your own OIDs or use any of the following EKU OIDs.

Value Description
XCN_OID_ANY_APPLICATION_POLICY(1.3.6.1.4.1.311.10.12.1) The applications that can use the certificate are not restricted.
XCN_OID_AUTO_ENROLL_CTL_USAGE(1.3.6.1.4.1.311.20.1) The certificate can be used to sign a request for automatic enrollment in a certificate trust list (CTL).
XCN_OID_DRM(1.3.6.1.4.1.311.10.5.1) The certificate can be used for digital rights management applications.
XCN_OID_DS_EMAIL_REPLICATION(1.3.6.1.4.1.311.21.19) The certificate can be used for Directory Service email replication.
XCN_OID_EFS_RECOVERY(1.3.6.1.4.1.311.10.3.4.1) The certificate can be used for recovery of documents protected by using Encrypting File System (EFS).
XCN_OID_EMBEDDED_NT_CRYPTO(1.3.6.1.4.1.311.10.3.8) The certificate can be used for Windows NT Embedded cryptography.
XCN_OID_ENROLLMENT_AGENT(1.3.6.1.4.1.311.20.2.1) The certificate can be used by an enrollment agent.
XCN_OID_IPSEC_KP_IKE_INTERMEDIATE(1.3.6.1.5.5.8.2.2) The certificate can be used for Internet Key Exchange (IKE).
XCN_OID_KP_CA_EXCHANGE(1.3.6.1.4.1.311.21.5) The certificate can be used for archiving a private key on a certification authority.
XCN_OID_KP_CTL_USAGE_SIGNING(1.3.6.1.4.1.311.10.3.1) The certificate can be used to sign a CTL.
XCN_OID_KP_DOCUMENT_SIGNING(1.3.6.1.4.1.311.10.3.12) The certificate can be used for signing documents.
XCN_OID_KP_EFS(1.3.6.1.4.1.311.10.3.4) The certificate can be used to encrypt files by using the Encrypting File System.
XCN_OID_KP_KEY_RECOVERY(1.3.6.1.4.1.311.10.3.11) The certificate can be used to encrypt and recover escrowed keys.
XCN_OID_KP_KEY_RECOVERY_AGENT(1.3.6.1.4.1.311.21.6) The certificate is used to identify a key recovery agent.
XCN_OID_KP_LIFETIME_SIGNING(1.3.6.1.4.1.311.10.3.13) Limits the validity period of a signature to the validity period of the certificate. This restriction is typically used with the XCN_OID_PKIX_KP_CODE_SIGNING OID value to indicate that new time stamp semantics should be used.
XCN_OID_KP_QUALIFIED_SUBORDINATION(1.3.6.1.4.1.311.10.3.10) The certificate can be used to sign cross certificate and subordinate certification authority certificate requests. Qualified subordination is implemented by applying basic constraints, certificate policies, and application policies. Cross certification typically requires policy mapping.
XCN_OID_KP_SMARTCARD_LOGON(1.3.6.1.4.1.311.20.2.2) The certificate enables an individual to log on to a computer by using a smart card.
XCN_OID_KP_TIME_STAMP_SIGNING(1.3.6.1.4.1.311.10.3.2) The certificate can be used to sign a time stamp to be added to a document. Time stamp signing is typically part of a time stamping service.
XCN_OID_LICENSE_SERVER(1.3.6.1.4.1.311.10.6.2) The certificate can be used by a license server when transacting with Microsoft to receive licenses for Terminal Services clients.
XCN_OID_LICENSES(1.3.6.1.4.1.311.10.6.1) The certificate can be used for key pack licenses.
XCN_OID_NT5_CRYPTO(1.3.6.1.4.1.311.10.3.7) The certificate can be used for Windows Server 2003, Windows XP, and Windows 2000 cryptography.
XCN_OID_OEM_WHQL_CRYPTO(1.3.6.1.4.1.311.10.3.7) The certificate can be used for used for Original Equipment Manufacturers (OEM) Windows Hardware Quality Labs (WHQL) cryptography.
XCN_OID_PKIX_KP_CLIENT_AUTH(1.3.6.1.5.5.7.3.2) The certificate can be used for authenticating a client.
XCN_OID_PKIX_KP_CODE_SIGNING(1.3.6.1.5.5.7.3.3) The certificate can be used for signing code.
XCN_OID_PKIX_KP_EMAIL_PROTECTION(1.3.6.1.5.5.7.3.4) The certificate can be used to encrypt email messages.
XCN_OID_PKIX_KP_IPSEC_END_SYSTEM(1.3.6.1.5.5.7.3.5) The certificate can be used for signing end-to-end Internet Protocol Security (IPSEC) communication.
XCN_OID_PKIX_KP_IPSEC_TUNNEL(1.3.6.1.5.5.7.3.6) The certificate can be used for singing IPSEC communication in tunnel mode.
XCN_OID_PKIX_KP_IPSEC_USER(1.3.6.1.5.5.7.3.7) The certificate can be used for an IPSEC user.
XCN_OID_PKIX_KP_OCSP_SIGNING(1.3.6.1.5.5.7.3.9) The certificate can be used for Online Certificate Status Protocol (OCSP) signing.
XCN_OID_PKIX_KP_SERVER_AUTH(1.3.6.1.5.5.7.3.1) The certificate can be used for OCSP authentication.
XCN_OID_PKIX_KP_TIMESTAMP_SIGNING(1.3.6.1.5.5.7.3.8) The certificate can be used for signing public key infrastructure timestamps.
XCN_OID_ROOT_LIST_SIGNER(1.3.6.1.4.1.311.10.3.9) The certificate can be used sign a certificate root list.
XCN_OID_WHQL_CRYPTO(1.3.6.1.4.1.311.10.3.5) The certificate can be used for Windows Hardware Quality Labs (WHQL) cryptography.
 

A single policy is defined by an ICertificatePolicy object. A collection is defined by an ICertificatePolicies object. You can use the collection to initialize an IX509ExtensionMSApplicationPolicies object.

You can use this extension to specify which applications can use a certificate or force an application to accept only certificates for which certain OIDs have been listed. Typically, the application reviews the certificate to ensure that the MSApplicationPolicies extension contains the required OIDs.

To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see PKCS #10 Extensions and CMC Extensions.

Inheritance

The IX509ExtensionMSApplicationPolicies interface inherits from IX509Extension. IX509ExtensionMSApplicationPolicies also has these types of members:

Methods

The IX509ExtensionMSApplicationPolicies interface has these methods.

 
IX509ExtensionMSApplicationPolicies::get_Policies

Retrieves a collection of application policies.
IX509ExtensionMSApplicationPolicies::InitializeDecode

Initializes the extension from a Distinguished Encoding Rules (DER) encoded byte array that contains the extension value. (IX509ExtensionMSApplicationPolicies.InitializeDecode)
IX509ExtensionMSApplicationPolicies::InitializeEncode

Initializes the extension from an ICertificatePolicies collection.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

Certificate Enrollment API

Extensions

IX509Extension