Certificate OIDs and Key Usage Extensions

Certificate OIDs and Key Usage Extensions

Important OIDs and certificate extensions

These tables show the most important information about the object identifiers and the extensions.

Object Identifiers OID
Any purpose 2.5.29.37.0
Attestation Identity Key Certificate 2.23.133.8.3
Certificate request agent 1.3.6.1.4.1.311.20.2.1
Client authentication 1.3.6.1.5.5.7.3.2
Code signing 1.3.6.1.5.5.7.3.3
CTL Usage 1.3.6.1.4.1.311.20.1
Digital Rights 1.3.6.1.4.1.311.10.5.1
Directory Service Email Replication 1.3.6.1.4.1.311.21.19
Disallowed List 1.3.6.1.4.1.311.10.3.30
Document encryption 1.3.6.1.4.1.311.80.1
Document signing 1.3.6.1.4.1.311.10.3.12
Domain Name System (DNS) Server Trust 1.3.6.1.4.1.311.64.1.1
Dynamic Code Generator 1.3.6.1.4.1.311.76.5.1
Early launch antimalware driver 1.3.6.1.4.1.311.61.4.1
Embedded Windows System Component Verification 1.3.6.1.4.1.311.10.3.8
Encrypting File System 1.3.6.1.4.1.311.10.3.4
Endorsement Key Certificate 2.23.133.8.1
File Recovery 1.3.6.1.4.1.311.10.3.4.1
HAL extension 1.3.6.1.4.1.311.61.5.1
IP security end system 1.3.6.1.5.5.7.3.5
IP security IKE intermediate 1.3.6.1.5.5.8.2.2
IP security tunnel termination 1.3.6.1.5.5.7.3.6
IP security user 1.3.6.1.5.5.7.3.7
KDC authentication 1.3.6.1.5.2.3.5
Kernel mode code signing 1.3.6.1.4.1.311.61.1.1
Key Pack Licenses 1.3.6.1.4.1.311.10.6.1
Key Recovery 1.3.6.1.4.1.311.10.3.11
Key Recovery Agent 1.3.6.1.4.1.311.21.6
License Server Verification 1.3.6.1.4.1.311.10.6.2
Lifetime signing 1.3.6.1.4.1.311.10.3.13
Microsoft Publisher 1.3.6.1.4.1.311.76.8.1
Microsoft Time Stamping 1.3.6.1.4.1.311.10.3.2
Microsoft Trust List Signing 1.3.6.1.4.1.311.10.3.1
OCSP signing 1.3.6.1.5.5.7.3.9
OEM Windows System Component Verification 1.3.6.1.4.1.311.10.3.7
Platform Certificate 2.23.133.8.2
Preview Build Signing 1.3.6.1.4.1.311.10.3.27
Private Key Archival 1.3.6.1.4.1.311.21.5
Protected Process Light Verification 1.3.6.1.4.1.311.10.3.22
Protected Process Verification 1.3.6.1.4.1.311.10.3.24
Qualified subordination 1.3.6.1.4.1.311.10.3.10
Remote desktop authentication 1.3.6.1.4.311.54.1.2
Revoked List Signer 1.3.6.1.4.1.311.10.3.19
Root List Signer 1.3.6.1.4.1.311.10.3.9
Secure Email 1.3.6.1.5.5.7.3.4
Server authentication 1.3.6.1.5.5.7.3.1
Smart card logon 1.3.6.1.4.1.311.20.2.2
SpcEncryptedDigestRetryCount 1.3.6.1.4.1.311.2.6.2
SpcRelaxedPEMarkerCheck 1.3.6.1.4.1.311.2.6.1
Time Stamping 1.3.6.1.5.5.7.3.8
Windows Hardware Driver Attested Verification 1.3.6.1.4.1.311.10.3.5.1
Windows Hardware Driver Extended Verification 1.3.6.1.4.1.311.10.3.39
Windows Hardware Driver Verification 1.3.6.1.4.1.311.10.3.5
Windows Kits Component 1.3.6.1.4.1.311.10.3.20
Windows RT Verification 1.3.6.1.4.1.311.10.3.21
Windows Software Extension Verification 1.3.6.1.4.1.311.10.3.26
Windows Store 1.3.6.1.4.1.311.76.3.1
Windows System Component Verification 1.3.6.1.4.1.311.10.3.6
Windows TCB Component 1.3.6.1.4.1.311.10.3.23
Windows Third Party Application Component 1.3.6.1.4.1.311.10.3.25
Windows Update 1.3.6.1.4.1.311.76.6.1
Microsoft CertSrv InfrastructureOID
Certificate services Certification Authority (CA) version1.3.6.1.4.1.311.21.1
szOID_CERTSRV_PREVIOUS_CERT_HASH1.3.6.1.4.1.311.21.2
szOID_CRL_VIRTUAL_BASE1.3.6.1.4.1.311.21.3
szOID_CRL_NEXT_PUBLISH1.3.6.1.4.1.311.21.4
szOID_KP_CA_EXCHANGE1.3.6.1.4.1.311.21.5
szOID_KP_KEY_RECOVERY_AGENT1.3.6.1.4.1.311.21.6
szOID_CERTIFICATE_TEMPLATE1.3.6.1.4.1.311.21.7
szOID_ENTERPRISE_OID_ROOT1.3.6.1.4.1.311.21.8
szOID_RDN_DUMMY_SIGNER1.3.6.1.4.1.311.21.9
szOID_APPLICATION_CERT_POLICIES1.3.6.1.4.1.311.21.10
szOID_APPLICATION_POLICY_MAPPINGS1.3.6.1.4.1.311.21.11
szOID_APPLICATION_POLICY_CONSTRAINTS1.3.6.1.4.1.311.21.12
szOID_ARCHIVED_KEY_ATTR1.3.6.1.4.1.311.21.13
szOID_CRL_SELF_CDP1.3.6.1.4.1.311.21.14
szOID_REQUIRE_CERT_CHAIN_POLICY1.3.6.1.4.1.311.21.15
szOID_ARCHIVED_KEY_CERT_HASH1.3.6.1.4.1.311.21.16
szOID_ISSUED_CERT_HASH1.3.6.1.4.1.311.21.17
szOID_DS_EMAIL_REPLICATION1.3.6.1.4.1.311.21.19
szOID_REQUEST_CLIENT_INFO1.3.6.1.4.1.311.21.20
szOID_ENCRYPTED_KEY_HASH1.3.6.1.4.1.311.21.21
szOID_CERTSRV_CROSSCA_VERSION1.3.6.1.4.1.311.21.22
Key storage provider name1.3.6.1.4.1.311.21.25
CertificateOIDDescription
subjectKeyIdentifier2.5.29.14Subject key identifier
keyUsage2.5.29.15Key usage
privateKeyUsagePeriod2.5.29.16Private key usage period
issuerAltName2.5.29.18Issuer alternative name (SAN)
basicConstraints2.5.29.19Basic constraints
cRLNumber2.5.29.20CRL (Certificate Revocation List) number
reasonCode2.5.29.21Reason code
invalidityDate2.5.29.24Invalidity Date
deltaCRLIndicator2.5.29.27Certificate Revocation List indicator
certificateIssuer2.5.29.29Certificate issuer
cRLDistributionPoints2.5.29.31Certificate revocation list distribution points
authorityKeyIdentifier2.5.29.35Authority key identifier.
Certificate extensionsOID
Authority key identifier2.5.29.19
Basic constraints2.5.29.35
Certificate Policies2.5.29.32
CRL Distribution Points2.5.29.31
Enhanced key usage2.5.29.46
Issuer alternative name2.5.29.8
Key Usage2.5.29.15
Name constraints2.5.29.30
Policy constraints2.5.29.36
Policy mappings2.5.29.33
Private Key Usage Period2.5.29.16
Subject Alternative Name2.5.29.17
Subject Directory Attributes2.5.29.9
Subject key identifier2.5.29.14

Which key usage extensions must be activated for a certificate

Extended keyEnable Key Usage Extensions
Web Server CertificateDigital Signature, Key Encipherment or Key Agreement
Web Client CertificateDigital Signature and / or Key Agreement
File Signing .exeDigital Signature
Email protectionDigital Signature, non-Repudiation, and / or Key Encipherment or Key Agreement
IPSEC host or routerDigital Signature, Key Encipherment or Key Agreement
IPSEC tunnelDigital Signature, Key Encipherment or Key Agreement
TimestampingDigital signature, non-repudiation

Which type of certificate requires which key usage extensions

ApplicationKey Usage Extensions
SSL Certificate for ClientDigital signature
SSL Certificate for ServerKey encipherment
S / MIME signingDigital signature
S / MIME encryptionKey encipherment
Certificate signingCertificate signing
Object signingDigital signature

Properties of an X.509 v3 certificate