Secure Sockets Layer (SSL): The name in a server’s certificate must match its DNS host name to successfully establish a connection. The host name check is not performed for SSL client certificates. If there is an extended key usage field, it must contain an appropriate value.

Secure Mail (S/MIME): When signing or encrypting an email, the user’s email address must be listed in the certificate and key usage fields must be included.

Extensible Authentication Protocol (EAP): When connecting to a network that requires 802.1X authentication, the name in the server’s certificate must match its DNS host name. The host name check is not performed for client certificates. If an extended key usage field is present, it must contain an appropriate value.

IP Security (IPsec): When certificates are used to secure Internet Protocol communications (for example, in establishing a VPN connection), the name in the server’s certificate must match its DNS host name. The host name check is not performed for client certificates. If an extended key usage field is present, it must contain an appropriate value.

iChat Security: The certificate must contain key usage settings that allow it to be used for iChat.

You can change these policies on each certificate, providing a greater amount of control over how certificates are evaluated.

Kerberos Client: This policy is used to determine whether this certificate can be used to identify a user to a Kerberos server.

Kerberos Server: This policy is used to determine whether a Kerberos server can use this certificate to identify itself to the system.

Code Signing: The certificate must contain key usage settings that explicitly permit it to sign code.