Frequently Used Extended Key Usages and Issuance Policies

Author Uwe GradeneggerPosted on Categories Certificate usageTags , , , ,

The following is a list of commonly used extended key usage and issuance policies that are used repeatedly in practice to restrict certificate authority certificates.

Frequently used extended key usages:

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The extended key usages are also referred to in some documentation as Application Policies called.

OIDDescription
1.3.6.1.4.1.311.20.2.1Certificate Request Agent
1.3.6.1.5.5.7.3.2Client Authentication
1.3.6.1.5.5.7.3.3Code Signing
1.3.6.1.4.1.311.10.3.13Lifetime Signing
1.3.6.1.4.1.311.10.3.12Document Signing
1.3.6.1.4.1.311.80.1Document Encryption
1.3.6.1.4.1.311.10.3.4Encrypting file system
1.3.6.1.4.1.311.10.3.4.1File Recovery
1.3.6.1.5.5.7.3.5IP Security End System
1.3.6.1.5.5.8.2.2IP Security IKE Intermediate
1.3.6.1.5.5.7.3.6IP Security Tunnel Endpoint
1.3.6.1.5.5.7.3.7IP Security User
1.3.6.1.4.1.311.21.6Key Recovery Agent
1.3.6.1.4.1.311.10.3.11Key Recovery
1.3.6.1.5.2.3.5KDC Authentication
1.3.6.1.4.1.311.10.3.1Microsoft Trust List Signing
1.3.6.1.4.1.311.10.3.10Qualified Subordination
1.3.6.1.4.1.311.10.3.9Root List Signer
1.3.6.1.5.5.7.3.4Secure E-mail
1.3.6.1.5.5.7.3.1Server Authentication
1.3.6.1.4.1.311.20.2.2Smartcard Logon
1.3.6.1.5.5.7.3.8Time Stamping according to RFC 3161
1.3.6.1.5.5.7.3.9OCSP Signing
1.3.6.1.4.1.311.54.1.2Remote Desktop Authentication
1.3.6.1.4.1.311.21.5Private Key Archival
2.16.840.1.113741.1.2.3Intel Advanced Management Technology (AMT) Provisioning

Frequently used issuance policies (Issuance Policies):

OIDDescription
2.5.29.32.0All Issuance Policies (AnyPolicy)
1.3.6.1.4.1.311.21.32TPM Key AttestationUser Credentials: (Low Assurance)
1.3.6.1.4.1.311.21.31TPM Key AttestationEndorsement Certificate: (Medium Assurance)
1.3.6.1.4.1.311.21.30TPM Key AttestationEndorsement Key: (High Assurance)

Related links:

External sources

20 thoughts on “Häufig verwendete erweiterte Schlüsselverwendungen (Extended Key Usages) und Ausstellungsrichtlinien (Issuance Policies)”

  1. Pingback: Details about the event with ID 53 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  2. Pingback: Configuring a certificate template for Remote Desktop (RDP) certificates - Uwe Gradenegger
  3. Pingback: Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates - Uwe Gradenegger
  4. Pingback: Signing certificates by bypassing the certification authority - Uwe Gradenegger
  5. Pingback: Basics: Configuration file for the certification authority (capolicy.inf) - Uwe Gradenegger
  6. Pingback: Treatment of expired certificates in certificate revocation lists - Uwe Gradenegger
  7. Pingback: The "Application Policies" certificate extension - Uwe Gradenegger
  8. Pingback: Details about the event with ID 131 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  9. Pingback: Code Signing for PowerShell Script Files - Uwe Gradenegger
  10. Pingback: Details about the event with ID 32 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  11. Pingback: Details about the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  12. Pingback: Details about the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  13. Pingback: Restricting Extended Key Usage (EKU) for Imported Root Certification Authority Certificates - Uwe Gradenegger
  14. Pingback: Overview of the different generations of domain controller certificates - Uwe Gradenegger
  15. Pingback: Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate - Uwe Gradenegger
  16. Pingback: Public Key Infrastructures (PKI) basics - Uwe Gradenegger
  17. Pingback: The partition of the Hardware Security Module (HSM) is running full - Uwe Gradenegger
  18. Pingback: Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified." - Uwe Gradenegger
  19. Pingback: Details about the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  20. Pingback: Signing in via smartcard fails with error message "Signing in with a security device isn't supported for your account." - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish