locked
Issuance Policies OIDs RRS feed

  • Question

  • Working in my test environment I have created some number of Issuance Policies. When I create this policy it dynamically generates OIDs for them. The question is — where they are stored and how can I delete or edit these policies from available policies list? I think that they are stored in AD, but cannot find where...

    thanks!
    http://www.sysadmins.lv
    Monday, November 9, 2009 9:59 AM

Answers

  • They are stored in CN=OID,CN=Public Key Services,CN=Services,ConfigDN
    Never use Random OIDs in production, always get an official OID arc through IANA or other authorities.
    When you go to delete them, I recommend ADSIEdit.msc as you can view the CN (the display name you assigned)
    Brian
    Monday, November 9, 2009 12:45 PM
  • OIDs obtained through IANA are no charge.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, November 9, 2009 2:05 PM
  • If you go to the listing of the IANA Private Enterprise Numbers page - http://www.iana.org/assignments/enterprise-numbers you'll notice that the IANA prefix is 1.3.6.1.4.1. If you search for Microsoft on that page you'll notice that their portion of the namespace begins with 1.3.6.1.4.1.311. If you generate an OID on a Windows Server system you'll notice that it uses 1.3.6.1.4.1.311 as its prefix, therefore, it is within Microsoft's namespace. This is by design and is a convenience feature. Each Active Directory forest will (should) generate a unique OID number but it will fall within Microsoft's namespace.
    If you apply for your own IANA number your namespace will begin with 1.3.6.1.4.1 but the rest of the number will be uniquely your own and won't fall in Microsoft's namespace. You can then use this namespace however you see fit, to create your own unique OIDs for certificate templates, issuance policies, application policies, CPSs, and as identifiers for directory enabled applications.
    Using a portion of Microsoft's namespace will serve you just fine if you ever only do internal PKI operations, or directory enabled applications, however, if you ever need to cross-certifiy, join an external bridge, subordinate to a public root etc., chances are pretty good that they won't accept OIDs from you that are part of someone else's namespace.
    Since IANA numbers are free, it is much better to start with your own namespace than it is to use a portion of someone else's and try to change it up later.
    Paul Adare CTO IdentIT Inc. ILM MVP
    • Proposed as answer by Paul Adare Tuesday, November 10, 2009 6:49 AM
    • Marked as answer by Vadims PodansMVP Tuesday, November 10, 2009 12:30 PM
    Tuesday, November 10, 2009 6:49 AM
  • Sorry, you don't need to use your IANA number for certificate template OIDs, just use the ones that are assigned automatically when you duplicate a certificate template so there's no reason to change them with ADSIEDIT. I don't believe that directly modifying certificate templates with ADSIEDIT is supported. Brian was referring specifically to deleting policy OIDs that were no longer required.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, November 10, 2009 12:27 PM

All replies

  • They are stored in CN=OID,CN=Public Key Services,CN=Services,ConfigDN
    Never use Random OIDs in production, always get an official OID arc through IANA or other authorities.
    When you go to delete them, I recommend ADSIEdit.msc as you can view the CN (the display name you assigned)
    Brian
    Monday, November 9, 2009 12:45 PM
  • > Never use Random OIDs in production, always get an official OID arc through IANA or other authorities

    how much they cost in general?

    > They are stored in CN=OID,CN=Public Key Services,CN=Services,ConfigDN

    yes. When I looked there I saw only something like this:
    CN=10071698.9C4165022DDB1655A7489C623CE2B49D

    so I need to see properties of particular OID.
    http://www.sysadmins.lv
    Monday, November 9, 2009 1:08 PM
  • OIDs obtained through IANA are no charge.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, November 9, 2009 2:05 PM
  • http://pen.iana.org/pen/PenApplication.page
    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, November 9, 2009 2:10 PM
  • that's cool, so I can test it in my test lab. And the last question is:

    what a difference is between IANA's OID and OID that is generated by Windows Server when I create new Issuance Policy?
    http://www.sysadmins.lv
    Monday, November 9, 2009 5:29 PM
  • The OIDS created by Windows Server are in Microsoft's namespace. The ones generated by IANA would be in your own.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, November 9, 2009 8:43 PM
  • Can you explain your post (it is really difficult to understanding for me :( )? Is there tenchnical/functional difference between them?

    Ok, if I will have OID from IANA. Where I can use it?
    Can I use OID subtree to create my own custom templates, issuance policies, CPSs, application policies (what else?)?


    http://www.sysadmins.lv
    Monday, November 9, 2009 10:03 PM
  • If you go to the listing of the IANA Private Enterprise Numbers page - http://www.iana.org/assignments/enterprise-numbers you'll notice that the IANA prefix is 1.3.6.1.4.1. If you search for Microsoft on that page you'll notice that their portion of the namespace begins with 1.3.6.1.4.1.311. If you generate an OID on a Windows Server system you'll notice that it uses 1.3.6.1.4.1.311 as its prefix, therefore, it is within Microsoft's namespace. This is by design and is a convenience feature. Each Active Directory forest will (should) generate a unique OID number but it will fall within Microsoft's namespace.
    If you apply for your own IANA number your namespace will begin with 1.3.6.1.4.1 but the rest of the number will be uniquely your own and won't fall in Microsoft's namespace. You can then use this namespace however you see fit, to create your own unique OIDs for certificate templates, issuance policies, application policies, CPSs, and as identifiers for directory enabled applications.
    Using a portion of Microsoft's namespace will serve you just fine if you ever only do internal PKI operations, or directory enabled applications, however, if you ever need to cross-certifiy, join an external bridge, subordinate to a public root etc., chances are pretty good that they won't accept OIDs from you that are part of someone else's namespace.
    Since IANA numbers are free, it is much better to start with your own namespace than it is to use a portion of someone else's and try to change it up later.
    Paul Adare CTO IdentIT Inc. ILM MVP
    • Proposed as answer by Paul Adare Tuesday, November 10, 2009 6:49 AM
    • Marked as answer by Vadims PodansMVP Tuesday, November 10, 2009 12:30 PM
    Tuesday, November 10, 2009 6:49 AM
  • thanks for this good explanation. It is now more clear for me. If I will have this OID, do I need to obtain OID tree additionally? Or I can use any OIDs within my own namespace? And regarding templates. When I create new template, Windows doesn't allow to change tempalte OID. Can I use ADSIEdit to change this template OID (as suggested Brian above)?
    http://www.sysadmins.lv
    Tuesday, November 10, 2009 9:53 AM
  • Sorry, you don't need to use your IANA number for certificate template OIDs, just use the ones that are assigned automatically when you duplicate a certificate template so there's no reason to change them with ADSIEDIT. I don't believe that directly modifying certificate templates with ADSIEDIT is supported. Brian was referring specifically to deleting policy OIDs that were no longer required.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, November 10, 2009 12:27 PM