Using Application Policies
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Certificates provide important information that is not specific to an application. However, you might need to define which applications can be used in conjunction with certain certificates. Application policy allows you to ensure that certificates are only used with the applications that you specify.
An application can also be written to accept only certificates that contain specific application policies. When the application receives signed information from a user, the application reviews the certificate associated with the private key used to sign the information, and ensures that the application policy extension contains the object identifiers required by the application.
Application policies are similar to the Extend Key Usage (EKU) extension in a certificate, as both use one or more object identifiers to prescribe how the public key in a certificate must be used. Windows Server 2003 supports Extend Key Usage to support PKIs that use this extension, but application policies are used in place of EKU.
Application policy is Microsoft specific and is treated much like Extended Key Usage. If a certificate has an extension containing an application policy and also has an EKU extension, the EKU extension is ignored. If, however, a certificate has only an EKU extension, the EKU extension is treated like an application policy extension. If a certificate has an application policy extension and an EKU property, the effective policy for the certificate is the common policy between the EKU property object identifiers and the application policy object identifiers.
If you are issuing certificates that include both application policy and EKU extensions, ensure that the two extensions contain identical object identifiers.