Windows PKI PEN RRS feed

  • Question

  • Hello PKI engineers out there....

    I'm trying to understand exactly why a PEN (Private Enterprise Number) is needed within a PKI deployment.

    I understand that this is embedded into templates / CPS policies etc but what is the reason these need to be unique? Within the CPS extension I can simply add a URL for my CPS statement which is to a domain that I control.

    I could create custom extensions using my PEN as part of the OID and then configure certain apps to require this but what is stopping another company using the same OID? From what I've read when a certificate is presented there are no dynamic lookups which check if this OID is actually assigned to that particular organisation?

    If anyone could shed some light that would be great.


    • Edited by BITMAN123 Thursday, February 15, 2018 11:59 PM
    Thursday, February 15, 2018 11:11 PM

All replies

  • First, a quick background on Policy and OIDs.

    (Included for context)

    An X.509 certificate expresses policy constraints through the specification of an OID within that certificate.

    An OID is used to assign a certificate policy to a certificate. Certificates can list more than one policy OID as a CA certificate may be compliant with multiple certificate policies.

    In addition to those Policy Constraints, you may add ‘Policy Qualifiers’ to a certificate.

    • ‘CPS Pointer qualifier’: contains a pointer to a Certification Practice Statement
    •  ‘User Notice’: display’s useful text to a relying party 
    It should be noted that while a CA Certificate may assert compliance with multiple policies, that CA can only have one CPS. (A CA is only operated one way!)
    But where do you get the Policy OID?  
    There are the default Policies that you could use. 
    But if you wanted to express a CA’s compliance to a Certificate Policy that is your own, you will want to map that policy to your CA using your own OID.
    So what is a PEN? 
    A PEN is a private enterprise number. This is number unique to your company and managed by IANA.
    This number allows you to create an OID Arc that starts at ISO and ends at your specific policy.
    ·        iso.org.dod.internet.private.enterprise.PEN.POLICY
    For example, here is my test lab policy OID - iso.org.dod.internet.private.enterprise (Identical for all OID arcs that feature IANA PENs)
    16211 - My company’s PEN (assigned by IANA)
    5 - Non-Prod Environment (Assigned by my company)
    1 – PKI (Assigned by my company)
    1 - low assurance policy (Assigned by my company)
    What you can see is a Policy OID that is internet unique to my specific policy, and specifies a specific policy.

    Why is that important?
    Internet unique Policy OIDs are necessary when you set up a PKI relationship with another PKI. Cross Certification, Bridging etc.
    When setting these sorts of relationships up, one often needs to configure Policy Mapping. 
    Policy Mapping is the PKI mechanism that maps ‘policy A’ in one PKI, to ‘policy B’ in another.  
    In order for this policy mapping to be guaranteed to work across companies, this OID needs to be unique.

    I hope this helps.



    Friday, February 16, 2018 1:17 PM
  • Hello I've created 2 tier PKI structure in our AD. 1 offline root server and 1 subordinate CA.

    I've got PEN (Private Enterprise Number) from iana

    I'd like create new OID for my PKI. Do I need to specify an OID on both the root and subordinate CA?

    e.g. - iso.org.dod.internet.private.enterprise (Identical for all OID arcs that feature IANA PENs)

    xxxxx - my company’s PEN (assigned by IANA)

    0 - Production Environment (Assigned by my company)

    888 – PKI (Assigned by by my company)

    1 - RootCA (Assigned by my company)

    2 – issuingCA (Assigned by my company)

    add in CAPolicy.inf file at RootCA server number as OID of RootCA

    add in CAPolicy.inf file at issuingCA server number as OID of IssuingCA

    or should be only one number for whole PKI ( the same OID in CAPolicy.inf files at both servers?

    At the end OIDs should be registered in AD, with method are best?



    • Edited by Kikas76 Wednesday, October 2, 2019 9:45 AM
    Wednesday, October 2, 2019 9:03 AM
  • This site has a good explanation of the answer https://www.sysadmins.lv/blog-en/certificate-policies-extension-all-you-should-know-part-1.aspx 

    You can also use the 'all issuance policies' extension on the end to match all policies for your IssuingCA if you don't have specifically assigned company attributes for policies.

    Root CA - no certificate policies extension

    Issuing CA - Certificate Policies extension with one or more policies

    Leaf Certificate - Certificate Policies extension with one or more policies

    Tuesday, December 10, 2019 9:11 PM