none
What OID should I use in capolicy.inf RRS feed

  • Question

  • Hi, I am  trying to follow several step by step guides to install 2-tier PKI. Some includes c:\windows\capolicy.inf with default OID=1.2.3.4.1455.67089.5 but instructs to change that with my own OID. I have 2 problems here, first one, is that our production environment used to have ADCS installed, then, bad uninstalled and manually cleaned. so when I run:

    Get-ADObject ('CN=OID,CN=Public Key Services,CN=Services,'+(Get-ADRootDSE).configurationNamingContext) -Properties msPKI-Cert-Template-OID

    I get: (numbers replaced by x)

    DistinguishedName       : CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=com,DC=ar
    msPKI-Cert-Template-OID : 1.3.6.1.x.x.xxx.xx.x.xxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxx.xxxxxxx.xxx
    Name                    : OID
    ObjectClass             : msPKI-Enterprise-Oid
    ObjectGUID              : xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    Should I use the same OID for new RootCA server capolicy.inf file? and what about Subordinate Server?

    The OID is the same for Root and subordinate servers?

    Other guides not even add the OID parameter in capolicy.inf, so, what is the right choice?

    If I need to generate new OID for my new ADCS 2-tier PKI servers where or how I should create that.

    Thanks. 


    • Edited by LCSMAR Monday, January 13, 2020 11:59 PM
    Monday, January 13, 2020 3:28 PM

Answers

All replies


  • Hi,

    First of all , i would recommend you confirm that all theCA related objects are removed 

    For how to decommission a Windows enterprise certification authority and remove all related objects
    https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r
    Regarding the OID:

    CP OIDs typically are not included in a root CA certificate, but are included in subordinate CA certificates.
    If you have multiple levels of OIDs, the following rules are enforced.

    - The OIDs defined in the higher tier are the only OIDs allowed in lower tiers (You cannot add any additional issuance policy OIDs at a lower tier)

    - The lower tier can implement one, some, or all of the OIDs defined at the higher tier.

    Object Identifiers (OID) are controlled by IANA and you need to register a Private Enterprise Number (PEN), or OID arc under 1.3.6.1.4.1 namespace. Here is  PEN registration 

    page: http://pen.iana.org/pen/PenApplication.page

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by LCSMAR Wednesday, January 15, 2020 3:42 AM
    Tuesday, January 14, 2020 5:15 AM
  • Hi, thanks for your help, related objects were removed following that Guide, except for OID folder that have several subfolders (oids?) that seems empty in Active Directory Sites and Services as you can see in screen capture:

    Should I delete them too??

    According to your comments I have to install Offline Root CA without setting OID field in capolicy.inf, right?

    Thanks again for your help.

    Tuesday, January 14, 2020 1:31 PM
  • Hi,

    Yes, it is recommend to remove all subcontainers within OID container. Once you install new PKI, installation wizard will add defeult OID values.

    Also,it is not suggested to set the OID in the root CA server.

    Best Regards,

    Fan



    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by LCSMAR Wednesday, January 15, 2020 3:42 AM
    Wednesday, January 15, 2020 1:39 AM
  • Hi Again, you are helping me too much... Thanks

    If I don´t set the OID field in capolicy.inf for setting the subordinate certification authority, wich OID will be used as default?

    May I change that OID in the future once SUB CA is installed?

    If 2-tier PKI will be used just for production on internal network is OID acquirement mandatory or I can use default OID?

    Thanks.

    Wednesday, January 15, 2020 3:54 AM
  • Hi,

    About the how to select the OID for the new PKI, for information you can refer to the following link:

    https://social.technet.microsoft.com/Forums/en-US/dfc22fdd-dcda-4367-8a98-a20c11ff9298/what-oid-to-use-for-new-pki-structure?forum=winserversecurity

    https://www.networkworld.com/article/2231566/obtaining-an-oid-for-a-certificate-issuing-policy--capolicy-inf----.html(third-party link)

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by LCSMAR Wednesday, January 15, 2020 10:14 PM
    Wednesday, January 15, 2020 8:06 AM