Certificate Templates
ADCS Enterprise Certificate Authority (CA) issues certificates according to settings specified by AD objects called certificate templates. These templates use enrolment policies and predefined certificate configurations to dictate the validity period, usage purposes, subject specifications, requester permissions, and various other parameters of a certificate request.
The PKI Extended Key Usage (EKU) attribute on an Active Directory certificate template object contains a list of object identifiers (OIDs) determining the permissible uses for the template. These EKU OIDs dictate the certificate’s functionalities.
From PKI Solutions, the following is a list of common Application Policy OID's.
Remember any OID that contains 1.3.6.1.4.1.311 is from Microsoft.
| OID | Purpose |
|---|---|
| 1.3.6.1.4.1.311.10.3.1 | Microsoft Trust List Signing |
| 1.3.6.1.4.1.311.10.3.10 | Qualified Subordination |
| 1.3.6.1.4.1.311.10.3.11 | Key Recovery |
| 1.3.6.1.4.1.311.10.3.12 | Document Signing |
| 1.3.6.1.4.1.311.10.3.13 | Lifetime Signing |
| 1.3.6.1.4.1.311.10.3.19 | Revoked List Signer |
| 1.3.6.1.4.1.311.10.3.2 | Microsoft Time Stamping |
| 1.3.6.1.4.1.311.10.3.20 | Windows Kits Component |
| 1.3.6.1.4.1.311.10.3.21 | Windows RT Verification |
| 1.3.6.1.4.1.311.10.3.22 | Protected Process Light Verification |
| 1.3.6.1.4.1.311.10.3.23 | Windows TCB Component |
| 1.3.6.1.4.1.311.10.3.24 | Protected Process Verification |
| 1.3.6.1.4.1.311.10.3.25 | Windows Third Party Application Component |
| 1.3.6.1.4.1.311.10.3.26 | Windows Software Extension Verification |
| 1.3.6.1.4.1.311.10.3.27 | Preview Build Signing |
| 1.3.6.1.4.1.311.10.3.30 | Disallowed List |
| 1.3.6.1.4.1.311.10.3.39 | Windows Hardware Driver Extended Verification |
| 1.3.6.1.4.1.311.10.3.4 | Encrypting File System |
| 1.3.6.1.4.1.311.10.3.4.1 | File Recovery |
| 1.3.6.1.4.1.311.10.3.5 | Windows Hardware Driver Verification |
| 1.3.6.1.4.1.311.10.3.5.1 | Windows Hardware Driver Attested Verification |
| 1.3.6.1.4.1.311.10.3.6 | Windows System Component Verification |
| 1.3.6.1.4.1.311.10.3.8 | Embedded Windows System Component Verification |
| 1.3.6.1.4.1.311.10.3.9 | Root List Signer |
| 1.3.6.1.4.1.311.10.5.1 | Digital Rights |
| 1.3.6.1.4.1.311.10.6.2 | License Server Verification |
| 1.3.6.1.4.1.311.2.6.1 | SpcRelaxedPEMarkerCheck |
| 1.3.6.1.4.1.311.2.6.2 | SpcEncryptedDigestRetryCount |
| 1.3.6.1.4.1.311.20.1 | CTL Usage |
| 1.3.6.1.4.1.311.20.2.1 | Certificate Request Agent |
| 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
| 1.3.6.1.4.1.311.21.19 | Directory Service Email Replication |
| 1.3.6.1.4.1.311.21.5 | Private Key Archival |
| 1.3.6.1.4.1.311.21.6 | Key Recovery Agent |
| 1.3.6.1.4.1.311.61.1.1 | Kernel Mode Code Signing |
| 1.3.6.1.4.1.311.61.4.1 | Early Launch Antimalware Driver |
| 1.3.6.1.4.1.311.61.5.1 | HAL Extension |
| 1.3.6.1.4.1.311.64.1.1 | Domain Name System (DNS) Server Trust |
| 1.3.6.1.4.1.311.76.3.1 | Windows Store |
| 1.3.6.1.4.1.311.76.5.1 | Dynamic Code Generator |
| 1.3.6.1.4.1.311.76.6.1 | Windows Update |
| 1.3.6.1.4.1.311.76.8.1 | Microsoft Publisher |
| 1.3.6.1.4.1.311.80.1 | Document Encryption |
| 1.3.6.1.5.2.3.5 | KDC Authentication |
| 1.3.6.1.5.5.7.3.1 | Server Authentication |
| 1.3.6.1.5.5.7.3.2 | Client Authentication |
| 1.3.6.1.5.5.7.3.3 | Code Signing |
| 1.3.6.1.5.5.7.3.4 | Secure Email |
| 1.3.6.1.5.5.7.3.5 | IP security end system |
| 1.3.6.1.5.5.7.3.6 | IP security tunnel termination |
| 1.3.6.1.5.5.7.3.7 | IP security user |
| 1.3.6.1.5.5.7.3.8 | Time Stamping |
| 1.3.6.1.5.5.7.3.9 | OCSP Signing |
| 1.3.6.1.5.5.8.2.2 | IP security IKE intermediate |
| 2.23.133.8.1 | Endorsement Key Certificate |
| 2.23.133.8.2 | Platform Certificate |
| 2.23.133.8.3 | Attestation Identity Key Certificate |
| 2.5.29.37.0 | Any Purpose |