Defining Application Policies

When you issue a Cross Certification Authority certificate, you can configure a Policy.inf file to specify which application policy OIDs are permitted in partner-issued certificates. Likewise, you can define a CAPolicy.inf file to specify which application policy OIDs are permitted in root certification authority certificates.

To configure application policies in a Policy.inf or CAPolicy.inf file, create the following sections:

[ApplicationPolicyStatementExtension] Policies = AppCodeSign, AppCTL, AppClientAuth CRITICAL = FALSE


OID =; Trust List Signing [AppClientAuth]

Using Custom Application Policies

Some organizations define their own application policy OIDs for custom applications. While most application policy OIDs are predefined and used universally, it might be necessary to define the mapping between your organization's application policy OID and a partner's application policy OID if custom application policies are defined.

To define the mapping, you must create a section that maps your organization's application policy OID to a similar application policy OID at the partner organization. This mapping is defined in a [ApplicationPolicyMappingsExtension] section in the Policy.inf or CAPolicy.inf file, as shown here:

[ApplicationPolicyMappingsExtension] = critical = true

Enabling the criticality flag enforces that an application processing this extension must understand the contents of the extension or not trust the certificate that contains the extension. (For more information on the criticality flag, review the definitions of X.509 version 3 certificates in Chapter 2, "Primer to PKI.")

+1 0

Post a comment