What is an Object Identifier (OID) in a PKI? How do you obtain an OID?

Object Identifiers (OIDs) are like the Internet domain name space, organizations that need such an identifier may have a root OID assigned to them. They can thus create their own sub OIDs much like they can create subdomains. A large and standardized set of OIDs already exists.

An OID corresponds to a node in the “OID tree” or hierarchy, which is formally defined using the ITU’s OID standard, X.660. The root of the tree contains the following three arcs:

  1. ITU-T
  2. ISO
  3. joint-iso-itu-t

What is an Object Identifier (OID)?

An OID, or Object Identifier, can be applied to each CPS (Certificate Practice statement). The OID is an identifier that is tied to the CPS or, if multiple policies are defined, to each CA’s certificate policy.

Object Identifiers are controlled by IANA and you need to register a Private Enterprise Number (PEN), or OID arc under 1.3.6.1.4.1 namespace. Here is the PEN registration page: https://pen.iana.org/pen/PenApplication.page

When acquired, your OID namespace will look as follows: 1.3.6.1.4.1.{PENnumber}. You can assign certificate policies under your private namespace, for example:

  • 1.3.6.1.4.1.{PENnumber}.1.1 – Smart Card issuance policy
  • 1.3.6.1.4.1.{PENnumber}.1.2 – Digital signature certificate issuance policy
  • 1.3.6.1.4.1.{PENnumber}.1.3 – Encryption certificate with key archival issuance policy

For general purpose CAs, you can use a universal Object Identifier with the value 2.5.29.32.0. This identifier means “All Issuance Policies” and is a sort of wildcard policy. Any policy will match this identifier during certificate chain validation.

Where do you get an OID?

An OID is a unique sequence of numbers that identifies a specific directory object or attribute. You can define an OID for a CPS as either a public or  private OID.

In case the organization plans to utilize PKI-enabled applications in conjunction with other organizations, the organization must get an OID from a public number-assignment company to certify that their OID will be unique on the Internet. Sources for public OIDs include:

  • The Internet Assigned Numbers Authority (IANA). This source issues free OIDs under the Private Enterprises arc. Every OID assigned by the IANA begins with the numbers 1.3.6.1.4.1 representing iso(1).org(3).dod(6).internet(1).private(4).enterprise(1).

Note: An arc is the term used to reference a specific path in the global OID tree maintained by the International Organization for Standardization (ISO) and the International Telecommunication Union. This global OID tree is sometimes referred to as the joint ISO/ITU-T tree. For example, the Private Enterprises arc contains all OIDs that begin with 1.3.6.1.4.1.

  • The American National Standards Institute (ANSI). This source issues OIDs for purchase under the U.S. Organizations arc of the ANSI OID tree. Every OID assigned by the ANSI begins with the numbers 2.16.840.1 rep representing joint-iso-itu-t(2). country(16).US(840).US company arc(1).

  • Other countries. Each country has its own OID-management organization. The easiest way to discover the organization for a given country is to perform a Google search (www.google.com) with the search phrase Country (where Country is the name of the given country) and “Object Identifier.” Here are some examples of the arcs available within the joint ISO/ITU-T tree:

    • Canada: joint-iso-itu-t(2).country(16).canada(124)
    • Netherlands: joint-iso-itu-t(2).country(16).netherlands(528)
    • Switzerland: joint-iso-itu-t(2).country(16).switzerland(756)
    • Thailand: joint-iso-itu-t(2).country(16).thailand(764)

You can also generate a private OID based on your forest’s globally unique identifier (GUID) within the Microsoft IANA-assigned tree. If you decide to use these OIDs, you will have an OID assigned from 1.3.6.1.4.1.311.21.8.a.b.c.d.e.1.402 (where a.b.c.d.e is a unique string of numbers based on your forest’s GUID).

Note: Use the private OID tree only if you do not foresee using the OIDs in conjunction with other organizations and your organization is unwilling to obtain a free OID from the IANA. If you plan on using PKI-enabled applications within other organizations, obtain a free OID tree from the IANA or buy a tree from the ANSI.

Tip: You can obtain your forest’s private OID by opening the Certificate Templates (certtmpl.msc) console as a member of the Enterprise Admins group. In the console tree, right-click Certificate Templates and click View Object Identifiers. In the resulting dialog box, you can choose the High Assurance Object Identifier and click the Copy Object Identifier button. Once you copy the OID, you can plug your forest’s values into the placeholders a.b.c.d.e, removing any trailing digits.

Certificate Policies Extension

The Certificate Policy extension, if present in an issuer certificate, expresses the policies that are followed by the CA, both in terms of how identities are validated before certificate issuance as well as how certificates are revoked and the operational practices that are used to ensure integrity of the CA. These policies can be expressed in two ways: as an OID, which is a unique number that refers to one given policy, and as a human-readable Certificate Practice Statement (CPS). One Certificate Policy extension can contain both the computer-sensible OID and a printable CPS. One special OID has been set aside for any policy, which states that the CA may issue certificates under a free-form policy.

IETF RFC 252717 gives a complete description of what should be present in a CA policy document and CPS. More details on the 2527 guidelines are given in the “PKI Policy Description” section.

As per RFC5280 §4.2.1.4, an entry in the Certificate Policies extension consist of a policy identifier (OID) at a minimum. Single Certificate Policies extension may contain multiple entries, an entry per policy. Policy identifier may be combined with one or more policy qualifiers. RFC5280 supports two policy qualifiers:

  1. CPS Pointer
  2. User Notice

CPS Pointer is a URL to a Certificate Practice Statement document that describes the policy under which the certificate in the subject was issued.

User Notice is a small piece of text (RFC recommends using no more than 200 characters) that describes policy.

Microsoft requires that Certificate Policies extension must consist of a policy identifier and one or more policy qualifiers. Preferred policy qualifier is a CPS pointer because User Notice is short and cannot provide enough information, while in CPS Pointer you can provide an URL to CPS document or web page. Another reason to use CPS Pointer is that when you open digital certificate in UI, there is a button called “Issuer Statement”.

Certificate GUI dialog looks for Certificate Policies extension in the certificate and activates the button when found. By pressing the button, you are redirected to a first CPS Pointer URL where you can read certificate issuer statement.

Did you think, why root CA certificate do not need to have a Certificate Policies extension? – Because an implicit Certificate Policies extension with wildcard “All Issuance Policies” is implied for self-signed certificates. And no custom policies shall be defined at root level. Certificate Policies extension must appear at 2nd level (Policy CA in a 3-tier hierarchy or Issuing CA when Policy and Issuing CA roles are combined in a 2-tier hierarchy).

For example, Certificate Policies appearance in a 3-tier hierarchy:

Root CA – no Certificate Policies extension

Policy CA – Certificate Policies extension with one or more policies

Issuing CA – Certificate Policies extension with one or more policies

Leaf certificate – Certificate Policies extension with one or more Policies

NOTE: In a 2-tier hierarchy, the path is shorter, but the same rules applies.