Certificate policies

PKITP supports CA and server application-defined certificate policies. CAs can and, in most cases, do establish their own policies for issuing certificates. These policies are declared within issued certificates through the CertificatePolicies extension. When this extension exists and is not marked critical, the extension is for informational purposes only - for example, specifying the URL for locating the CA's certificate practice statement (CPS). When this extension exists and is marked critical, the policies identified in the extension restrict the use of the certificate. These restrictions apply to subordinate CA certificates and to end-entity certificates. (For information about how PKI Services support the CertificatePolicies extension, see Using certificate policies.)

Similarly, a server application can be a general application that wants to verify certificates for no specific policy or can be an application that was written for a specific purpose and wants to verify certificates that are issued for that purpose (policy).

If the server application specifies an explicit set of policies, then at least one of these policies must be present in each certificate of the certification path (chain). Additionally, PKITP extracts the certificate polices marked critical from each certificate in the chain to determine the intersection - that is, only policies that are listed in every critically marked CertificatePolicies extension are retained. The server application must indicate that it supports at least one of these polices. If any of these tests are unsuccessful, certificate validation fails.