Wichtige OIDs und Zertifikatserweiterungen
Diese Tabellen zeigen die wichtigsten Informationen rund um die Object Identifiers und den Extensions an.
Object Identifiers | OID |
Any Purpose | 2.5.29.37.0 |
Attestation Identity Key Certificate | 2.23.133.8.3 |
Certificate Request Agent | 1.3.6.1.4.1.311.20.2.1 |
Client Authentication | 1.3.6.1.5.5.7.3.2 |
Code Signing | 1.3.6.1.5.5.7.3.3 |
CTL Usage | 1.3.6.1.4.1.311.20.1 |
Digital Rights | 1.3.6.1.4.1.311.10.5.1 |
Directory Service Email Replication | 1.3.6.1.4.1.311.21.19 |
Disallowed List | 1.3.6.1.4.1.311.10.3.30 |
Document Encryption | 1.3.6.1.4.1.311.80.1 |
Document Signing | 1.3.6.1.4.1.311.10.3.12 |
Domain Name System (DNS) Server Trust | 1.3.6.1.4.1.311.64.1.1 |
Dynamic Code Generator | 1.3.6.1.4.1.311.76.5.1 |
Early Launch Antimalware Driver | 1.3.6.1.4.1.311.61.4.1 |
Embedded Windows System Component Verification | 1.3.6.1.4.1.311.10.3.8 |
Encrypting File System | 1.3.6.1.4.1.311.10.3.4 |
Endorsement Key Certificate | 2.23.133.8.1 |
File Recovery | 1.3.6.1.4.1.311.10.3.4.1 |
HAL Extension | 1.3.6.1.4.1.311.61.5.1 |
IP security end system | 1.3.6.1.5.5.7.3.5 |
IP security IKE intermediate | 1.3.6.1.5.5.8.2.2 |
IP security tunnel termination | 1.3.6.1.5.5.7.3.6 |
IP security user | 1.3.6.1.5.5.7.3.7 |
KDC Authentication | 1.3.6.1.5.2.3.5 |
Kernel Mode Code Signing | 1.3.6.1.4.1.311.61.1.1 |
Key Pack Licenses | 1.3.6.1.4.1.311.10.6.1 |
Key Recovery | 1.3.6.1.4.1.311.10.3.11 |
Key Recovery Agent | 1.3.6.1.4.1.311.21.6 |
License Server Verification | 1.3.6.1.4.1.311.10.6.2 |
Lifetime Signing | 1.3.6.1.4.1.311.10.3.13 |
Microsoft Publisher | 1.3.6.1.4.1.311.76.8.1 |
Microsoft Time Stamping | 1.3.6.1.4.1.311.10.3.2 |
Microsoft Trust List Signing | 1.3.6.1.4.1.311.10.3.1 |
OCSP Signing | 1.3.6.1.5.5.7.3.9 |
OEM Windows System Component Verification | 1.3.6.1.4.1.311.10.3.7 |
Platform Certificate | 2.23.133.8.2 |
Preview Build Signing | 1.3.6.1.4.1.311.10.3.27 |
Private Key Archival | 1.3.6.1.4.1.311.21.5 |
Protected Process Light Verification | 1.3.6.1.4.1.311.10.3.22 |
Protected Process Verification | 1.3.6.1.4.1.311.10.3.24 |
Qualified Subordination | 1.3.6.1.4.1.311.10.3.10 |
Remote Desktop Authentication | 1.3.6.1.4.311.54.1.2 |
Revoked List Signer | 1.3.6.1.4.1.311.10.3.19 |
Root List Signer | 1.3.6.1.4.1.311.10.3.9 |
Secure Email | 1.3.6.1.5.5.7.3.4 |
Server Authentication | 1.3.6.1.5.5.7.3.1 |
Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 |
SpcEncryptedDigestRetryCount | 1.3.6.1.4.1.311.2.6.2 |
SpcRelaxedPEMarkerCheck | 1.3.6.1.4.1.311.2.6.1 |
Time Stamping | 1.3.6.1.5.5.7.3.8 |
Windows Hardware Driver Attested Verification | 1.3.6.1.4.1.311.10.3.5.1 |
Windows Hardware Driver Extended Verification | 1.3.6.1.4.1.311.10.3.39 |
Windows Hardware Driver Verification | 1.3.6.1.4.1.311.10.3.5 |
Windows Kits Component | 1.3.6.1.4.1.311.10.3.20 |
Windows RT Verification | 1.3.6.1.4.1.311.10.3.21 |
Windows Software Extension Verification | 1.3.6.1.4.1.311.10.3.26 |
Windows Store | 1.3.6.1.4.1.311.76.3.1 |
Windows System Component Verification | 1.3.6.1.4.1.311.10.3.6 |
Windows TCB Component | 1.3.6.1.4.1.311.10.3.23 |
Windows Third Party Application Component | 1.3.6.1.4.1.311.10.3.25 |
Windows Update | 1.3.6.1.4.1.311.76.6.1 |
Microsoft CertSrv Infrastructure | OID |
Certificate services Certification Authority (CA) version | 1.3.6.1.4.1.311.21.1 |
szOID_CERTSRV_PREVIOUS_CERT_HASH | 1.3.6.1.4.1.311.21.2 |
szOID_CRL_VIRTUAL_BASE | 1.3.6.1.4.1.311.21.3 |
szOID_CRL_NEXT_PUBLISH | 1.3.6.1.4.1.311.21.4 |
szOID_KP_CA_EXCHANGE | 1.3.6.1.4.1.311.21.5 |
szOID_KP_KEY_RECOVERY_AGENT | 1.3.6.1.4.1.311.21.6 |
szOID_CERTIFICATE_TEMPLATE | 1.3.6.1.4.1.311.21.7 |
szOID_ENTERPRISE_OID_ROOT | 1.3.6.1.4.1.311.21.8 |
szOID_RDN_DUMMY_SIGNER | 1.3.6.1.4.1.311.21.9 |
szOID_APPLICATION_CERT_POLICIES | 1.3.6.1.4.1.311.21.10 |
szOID_APPLICATION_POLICY_MAPPINGS | 1.3.6.1.4.1.311.21.11 |
szOID_APPLICATION_POLICY_CONSTRAINTS | 1.3.6.1.4.1.311.21.12 |
szOID_ARCHIVED_KEY_ATTR | 1.3.6.1.4.1.311.21.13 |
szOID_CRL_SELF_CDP | 1.3.6.1.4.1.311.21.14 |
szOID_REQUIRE_CERT_CHAIN_POLICY | 1.3.6.1.4.1.311.21.15 |
szOID_ARCHIVED_KEY_CERT_HASH | 1.3.6.1.4.1.311.21.16 |
szOID_ISSUED_CERT_HASH | 1.3.6.1.4.1.311.21.17 |
szOID_DS_EMAIL_REPLICATION | 1.3.6.1.4.1.311.21.19 |
szOID_REQUEST_CLIENT_INFO | 1.3.6.1.4.1.311.21.20 |
szOID_ENCRYPTED_KEY_HASH | 1.3.6.1.4.1.311.21.21 |
szOID_CERTSRV_CROSSCA_VERSION | 1.3.6.1.4.1.311.21.22 |
Key storage provider name | 1.3.6.1.4.1.311.21.25 |
Certificate | OID | Description |
subjectKeyIdentifier | 2.5.29.14 | Subject key identifier |
keyUsage | 2.5.29.15 | Key usage |
privateKeyUsagePeriod | 2.5.29.16 | Private key usage period |
issuerAltName | 2.5.29.18 | Issuer alternative name (SAN) |
basicConstraints | 2.5.29.19 | Basic constraints |
cRLNumber | 2.5.29.20 | CRL (Certificate Revocation List) number |
reasonCode | 2.5.29.21 | Reason code |
invalidityDate | 2.5.29.24 | Invalidity Date |
deltaCRLIndicator | 2.5.29.27 | Certificate Revocation List indicator |
certificateIssuer | 2.5.29.29 | Certificate Issuer |
cRLDistributionPoints | 2.5.29.31 | Certificate Revocation List distribution points |
authorityKeyIdentifier | 2.5.29.35 | Authority key identifier. |
Certificate Extensions | OID |
Authority Key Identifier | 2.5.29.19 |
Basic Constraints | 2.5.29.35 |
Certificate Policies | 2.5.29.32 |
CRL Distribution Points | 2.5.29.31 |
Enhanced Key Usage | 2.5.29.46 |
Issuer Alternative Name | 2.5.29.8 |
Key Usage | 2.5.29.15 |
Name Constraints | 2.5.29.30 |
Policy Constraints | 2.5.29.36 |
Policy Mappings | 2.5.29.33 |
Private Key Usage Period | 2.5.29.16 |
Subject Alternative Name | 2.5.29.17 |
Subject Directory Attributes | 2.5.29.9 |
Subject Key Identifier | 2.5.29.14 |
Welche Key Usage Extensions müssen für ein Zertifikat aktiviert sein
Extended Key | Enable Key Usage Extensions |
Web Server Certificate | Digital Signature, Key Encipherment or Key Agreement |
Web Client Certificate | Digital Signature and/or Key Agreement |
File Signing .exe | Digital Signature |
E-Mail Protection | Digital Signature, non-Repudiation, and/or Key Encipherment or Key Agreement |
IPSEC Host or Router | Digital Signature, Key Encipherment or Key Agreement |
IPSEC Tunnel | Digital Signature, Key Encipherment or Key Agreement |
Timestamping | Digital Signature, non-Repudiation |
Welcher Typ von Zertifikat setzt welche Key Usage Extensions voraus
Application | Key Usage Extensions |
SSL Certificate for Client | Digital signature |
SSL Certificate for Server | Key encipherment |
S/MIME Signing | Digital signature |
S/MIME Encryption | Key encipherment |
Certificate Signing | Certificate signing |
Object Signing | Digital signature |
https://www.der-windows-papst.de/2019/07/06/eigenschaften-eines-x-509-v3-zertifikats/