Certificates are granted according to policies that define criteria that requesters must meet in order to receive a certificate. For example, one policy may be to grant commercial certificates only if applicants present their identification in person. Another policy may grant credentials based on e-mail requests. An agency that issues credit cards may choose to consult a database and make phone inquiries before issuing a card.
Policies are implemented in policy modules written in Java, Microsoft® Visual Basic®, or Microsoft C/C++. Microsoft Certificate Server functions are isolated from any changes in policy that an agency might implement. Changes in policy can be fully implemented in the server policy module code.