Obtaining an OID for a Certificate Issuing Policy (CAPolicy.inf)...

The various methods you can use to obtain an OID.

In the happy fairy land that is PKI there comes a time when an OID is needed. Such a time is when you want to specify a Certificate Issuing Policy within a CAPolicy.inf for Microsoft’s Certificates Services. However, how to obtain an OID tends to be a coveted mystery among the security gods.

So… in my quest to provide knowledge to the masses here are some methods to obtain an OID that may be placed within your CAPolicy.inf.

Method One:If you already have a valid OID obtain a CPS arc from you OID overlord.Method Two:Don’t have a valid OID. Go to the following Web site and after paying lots of money you too can become an evil OID overlord: http://web.ansi.org/other_services/registration_programs/reg_org.aspx?menuid=10Method Three:Go to the following site, and get oidgen.vbs: http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06.  This script generates unique OIDs in the Microsoft number sequence (1.2.840.113556).  Method Four:

Cheat create your own. Bring up a backup of your Active Directory environment in a lab. Install certificate services as an Enterprise Root on a domain controller. At a command prompt on the domain controller type certtmpl.msc and press Enter. The Certificate Templates MMC will open. In the right pane select the Workstation Authentication template. Alternatively, you can select any other V2 template. From the Action menu select Properties. Click the Extensions tab. Select the Issuance Policies from the list box and click Edit. In the Edit Issuance Policies Extension dialog click Add. Click New... in the next dialog. A unique object identifier is generated and shown in the New Issuance Policy dialog. Select the complete OID and press + to copy the content into the clipboard. Copy the OID into a document for future reference.

Again… this yet another procedure I wouldn’t recommend for a “real” PKI deployment.

If you like this, check out some other posts from Tyson:

Or if you want, you can also check out some of Tyson's latest publications:

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.