Share via

Custom OID for Certificate template

Anonymous
2024-08-31T15:14:47+00:00

Lets assume we have Active Directory installed with domain name "domain.com" and Enterprise PKI with single tier

When we duplicate certificate new two OID objects appears in Active Directory on configuration partition under "CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"
one of this object corresponds with newly created template, has the same OID under "msPKI-Cert-Template-OID" parameter, as we know it is necessary to map oid with friendly name, i.e.:

distinguishedName: CN=3893940.33B005631AD31D10EBE20371A6A4267E,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycreativespace,DC=pl

msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.1379772.1953520.5001136.2622141.10395009.166.11795774.3893940

displayName: NEW_KerberosAuthentication

it coresponds with newly created template (same msPKI-Cert-Template-OID attribute values):

distinguishedName: CN=NEW_KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycreativespace,DC=pl

msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.1379772.1953520.5001136.2622141.10395009.166.11795774.3893940

What for is second OID object created, I couldn't find any other object that corresponds with it?

Is it good practice to replace Microsoft OID in custom template with my own enterprise PEN number?

Also I have noticed, when I delete custom template first OID is deleted also but second one remains.

Windows for business Windows Server Directory services Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-09-02T02:55:45+00:00

    Hi WojtekW_MCS,

    Thank you for posting in the Microsoft Community Forums.

    Replacing the Microsoft OID in a customized template with your own corporate PEN (Private Enterprise Number) number is often a viable practice, but the following points need to be kept in mind:

    Compatibility: Ensure that the replaced OID is compatible across all relevant systems and applications.

    Administrative complexity: Customizing OIDs can add administrative complexity, as you need to ensure that all relevant parties understand and use these custom OIDs.

    Standards Compliance: While it is possible to customize OIDs, it is still important to follow relevant standards and best practices.

    When you delete a custom template, the OID associated with the template (i.e., the first OID object) is usually also deleted because they are interdependent. However, the second OID object may continue to exist for different reasons, for example, it may be associated with other services or features, or it may be a separate internal object in its own right.

    In response to the issue you mentioned, it is recommended that the properties and associations of the second OID object be further investigated to determine its purpose and whether it needs to be removed. In the meantime, when replacing Microsoft OIDs with custom PEN numbers, please ensure that compatibility and management complexity are fully assessed.

    Best regards

    Neuvi

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest