Application Policy

  • Article

Applies To: Windows Server 2008 R2

Application policies give you the important ability to decide which certificates can be used for certain purposes. This allows you to issue certificates widely without being concerned that they are used for an unintended purpose.

Application policies are settings that inform a target that the subject holds a certificate that can be used to perform a specific task. They are represented in a certificate by an object identifier (also known as an OID) that is defined for a given application. This object identifier is included in the issued certificate. When a subject presents its certificate, the certificate can be examined by the certificate recipient to verify the application policy and determine if the subject can perform the requested action.

Application policies are sometimes called extended key usage or enhanced key usage. Because some implementations of public key infrastructure (PKI) applications cannot interpret application policies, both application policies and enhanced key usage sections appear in certificates issued by a Windows Server–based certification authority (CA). The following table lists some commonly used application policies.

Purpose Object Identifier

Client Authentication

1.3.6.1.5.5.7.3.2

CA Encryption Certificate

1.3.6.1.4.1.311.21.5

Smart Card Logon

1.3.6.1.4.1.311.20.2.2

Document Signing

1.3.6.1.4.1.311.10.3.12

File Recovery

1.3.6.1.4.1.311.10.3.4.1

Key Recovery

1.3.6.1.4.1.311.10.3.11

Microsoft Trust List Signing

1.3.6.1.4.1.311.10.3.1

Qualified Subordination

1.3.6.1.4.1.311.10.3.10

Root List Signer

1.3.6.1.4.1.311.10.3.9

The ability to modify or create new application policies is only available with version 2 and version 3 certificate templates. For more information, see Default Certificate Templates.

Clients must be re-enrolled to receive a certificate based on a modified template if they already have a valid certificate based on the previous template. For more information about re-enrolling clients, see Re-Enroll All Certificate Holders.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To add an application policy

  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Extensions tab, click Application Policies, and then click Edit.

  4. In Edit Application Policies Extension, click Add.

  5. In Add Application Policy, click the application policy that you want to add, and then click OK.

The application policy that you want may not be available. In this case, you can create a new application policy.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To create an application policy

  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Extensions tab, click Application Policies, and then click Edit.

  4. In Edit Application Policies Extension, click Add.

  5. In Add Application Policy, click New.

  6. Provide the requested information.

Additional references