The Extensions tab allows an administrator to define specific application policies, issuance policies, certificate subject types, and key usage attributes for a certificate template.
Application policies are settings that inform a target that the subject holds a certificate that can be used to perform a specific task. They are represented in a certificate by an object identifier that is defined for a given application. This object identifier is included in the issued certificate. When a subject presents its certificate, the certificate can be examined by the target to verify the application policy and determine whether the subject can perform the requested action.
Issuance policies, also referred to as certificate policies, define the measures that are used to identify the subject of the certificate and thereby define the level of assurance for an issued certificate. For example, your organization might require a face-to-face meeting before the certificate is issued to provide for a higher level of assurance for the issued certificate.
Certificate subject type
The certificate subject type, also referred to as the certificate template information, defines the purpose of a certificate or certificate template.
The certificate subject type extension cannot be edited. If an administrator requires a specific subject type to be applied to a certificate, the administrator should duplicate a certificate template that includes the required subject type.
A certificate enables the subject to perform a specific task. To help control the usage of a certificate outside its intended purpose, restrictions are automatically placed on certificates. Key usage is a restriction method that determines what a certificate can be used for. It allows the administrator to issue certificates that can only be used for specific tasks or certificates that can be used for a broad range of functions. If no key usage is specified, the certificate can be used for any purpose.
For signatures, key usage can be limited to one or more of the following purposes:
- Digital signature
- Signature is a proof of origin
- Certificate signing
- CRL signing
For encryption key usage, the following options are available:
- Key exchange without key encryption
- Key exchange only with key encryption
In addition to the information required by the certification authority (CA) to construct the requested certificate, a certificate request also includes attributes that describe how the certificate request was created. The certificate request attributes include the operating system version and application used to create the request, the cryptographic service provider used to generate the key pair, the certificate template the request is based on, and other details.
Attributes are automatically added to certificate requests that are created by using the Certificates snap-in and are stored in the CA database with each certificate request.