Is there a reference that maps OIDs to terms used in Microsoft documentation like "Server Authentication" or "Secure Email"?
Server Authentication: 1.3.6.1.5.5.7.3.1
Client Authentication: 1.3.6.1.5.5.7.3.2
Secure Email: 1.3.6.1.5.5.7.3.4
Data Encipherment: 1.3.6.1.4.1.311.10.3.4
Key Encipherment: ?
Digital Signature: ?
I am using these OIDs to generate test certificates with makecert.exe.
There is a support document in the Microsoft knowledge base: https://web.archive.org/web/20180608195005/https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography
As MSFT keeps flipping URLs and dropping information here is a scrap:
Microsoft OID...................................1.3.6.1.4.1.311
Authenticode....................................1.3.6.1.4.1.311.2
Software Publishing (with associated encoders/decoders)
SPC_INDIRECT_DATA_OBJID 1.3.6.1.4.1.311.2.1.4
SPC_STATEMENT_TYPE_OBJID 1.3.6.1.4.1.311.2.1.11
SPC_SP_OPUS_INFO_OBJID 1.3.6.1.4.1.311.2.1.12
SPC_PE_IMAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.15
SPC_SP_AGENCY_INFO_OBJID 1.3.6.1.4.1.311.2.1.10
SPC_MINIMAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.26
SPC_FINANCIAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.27
SPC_LINK_OBJID 1.3.6.1.4.1.311.2.1.28
SPC_HASH_INFO_OBJID 1.3.6.1.4.1.311.2.1.29
SPC_SIPINFO_OBJID 1.3.6.1.4.1.311.2.1.30
Software Publishing (with NO associated encoders/decoders)
SPC_CERT_EXTENSIONS_OBJID 1.3.6.1.4.1.311.2.1.14
SPC_RAW_FILE_DATA_OBJID 1.3.6.1.4.1.311.2.1.18
SPC_STRUCTURED_STORAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.19
SPC_JAVA_CLASS_DATA_OBJID 1.3.6.1.4.1.311.2.1.20
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
SPC_CAB_DATA_OBJID 1.3.6.1.4.1.311.2.1.25
SPC_GLUE_RDN_OBJID 1.3.6.1.4.1.311.2.1.25
CTL for Software Publishers Trusted CAs 1.3.6.1.4.1.311.2.2
(sub-subtree is defined for Software Publishing trusted CAs)
szOID_TRUSTED_CODESIGNING_CA_LIST 1.3.6.1.4.1.311.2.2.1
szOID_TRUSTED_CLIENT_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.2
szOID_TRUSTED_SERVER_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.3
Time Stamping...................................1.3.6.1.4.1.311.3
(with Associated encoder/decoders)
SPC_TIME_STAMP_REQUEST_OBJID 1.3.6.1.4.1.311.3.2.1
Permissions.....................................1.3.6.1.4.1.311.4
Crypto 2.0......................................1.3.6.1.4.1.311.10
PKCS #7 ContentType Object Identifier for Certificate Trust List (CTL)
szOID_CTL 1.3.6.1.4.1.311.10.1
Sorted CTL Extension
szOID_SORTED_CTL 1.3.6.1.4.1.311.10.1.1
Next Update Location extension or attribute. Value is an encoded GeneralNames
szOID_NEXT_UPDATE_LOCATION 1.3.6.1.4.1.311.10.2
Enhanced Key Usage (Purpose)
Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING 1.3.6.1.4.1.311.10.3.1
Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING 1.3.6.1.4.1.311.10.3.2
Can use strong encryption in export environment
szOID_SERVER_GATED_CRYPTO 1.3.6.1.4.1.311.10.3.3
szOID_SERIALIZED 1.3.6.1.4.1.311.10.3.3.1
Can use encrypted file systems (EFS)
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_EFS_RECOVERY 1.3.6.1.4.1.311.10.3.4.1
Can use Windows Hardware Compatible (WHQL)
szOID_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.5
Signed by the NT5 build lab
szOID_NT5_CRYPTO 1.3.6.1.4.1.311.10.3.6
Signed by and OEM of WHQL
szOID_OEM_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.7
Signed by the Embedded NT
szOID_EMBEDDED_NT_CRYPTO 1.3.6.1.4.1.311.10.3.8
Signer of a CTL containing trusted roots
szOID_ROOT_LIST_SIGNER 1.3.6.1.4.1.311.10.3.9
Can sign cross-cert and subordinate CA requests with qualified
subordination (name constraints, policy mapping, etc.)
szOID_KP_QUALIFIED_SUBORDINATION 1.3.6.1.4.1.311.10.3.10
Can be used to encrypt/recover escrowed keys
szOID_KP_KEY_RECOVERY 1.3.6.1.4.1.311.10.3.11
Signer of documents
szOID_KP_DOCUMENT_SIGNING 1.3.6.1.4.1.311.10.3.12
Microsoft Attribute Object Identifiers
szOID_YESNO_TRUST_ATTR 1.3.6.1.4.1.311.10.4.1
Microsoft Music
szOID_DRM 1.3.6.1.4.1.311.10.5.1
Microsoft DRM EKU
szOID_DRM_INDIVIDUALIZATION 1.3.6.1.4.1.311.10.5.2
Microsoft Licenses
szOID_LICENSES 1.3.6.1.4.1.311.10.6.1
szOID_LICENSE_SERVER 1.3.6.1.4.1.311.10.6.2
Microsoft CERT_RDN attribute Object Identifiers
szOID_MICROSOFT_RDN_PREFIX 1.3.6.1.4.1.311.10.7
Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
szOID_KEYID_RDN 1.3.6.1.4.1.311.10.7.1
Microsoft extension in a CTL to add or remove the certificates. The
extension type is an INTEGER. 0 => add certificate, 1 => remove certificate
szOID_REMOVE_CERTIFICATE 1.3.6.1.4.1.311.10.8.1
Microsoft certificate extension containing cross certificate distribution
points. ASN.1 encoded as follows:
CrossCertDistPoints ::= SEQUENCE {
syncDeltaTime INTEGER (0..4294967295) OPTIONAL,
crossCertDistPointNames CrossCertDistPointNames
} --#public--
CrossCertDistPointNames ::= SEQUENCE OF GeneralNames
szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1
Microsoft CMC OIDs 1.3.6.1.4.1.311.10.10
Similar to szOID_CMC_ADD_EXTENSIONS. Attributes replaces Extensions.
szOID_CMC_ADD_ATTRIBUTES 1.3.6.1.4.1.311.10.10.1
Microsoft certificate property OIDs 1.3.6.1.4.1.311.10.11
The OID component following the prefix contains the PROP_ID (decimal)
szOID_CERT_PROP_ID_PREFIX 1.3.6.1.4.1.311.10.11.
CryptUI 1.3.6.1.4.1.311.10.12
szOID_ANY_APPLICATION_POLICY 1.3.6.1.4.1.311.10.12.1
Catalog.........................................1.3.6.1.4.1.311.12
szOID_CATALOG_LIST 1.3.6.1.4.1.311.12.1.1
szOID_CATALOG_LIST_MEMBER 1.3.6.1.4.1.311.12.1.2
CAT_NAMEVALUE_OBJID 1.3.6.1.4.1.311.12.2.1
CAT_MEMBERINFO_OBJID 1.3.6.1.4.1.311.12.2.2
Microsoft PKCS10 OIDs...........................1.3.6.1.4.1.311.13
szOID_RENEWAL_CERTIFICATE 1.3.6.1.4.1.311.13.1
szOID_ENROLLMENT_NAME_VALUE_PAIR 1.3.6.1.4.1.311.13.2.1
szOID_ENROLLMENT_CSP_PROVIDER 1.3.6.1.4.1.311.13.2.2
Microsoft Java..................................1.3.6.1.4.1.311.15
Microsoft Outlook/Exchange......................1.3.6.1.4.1.311.16
Outlook Express 1.3.6.1.4.1.311.16.4
Used by OL/OLEXP to identify which certificate signed the PKCS # 7 message
Microsoft PKCS12 attributes.....................1.3.6.1.4.1.311.17
szOID_LOCAL_MACHINE_KEYSET 1.3.6.1.4.1.311.17.1
Microsoft Hydra.................................1.3.6.1.4.1.311.18
Microsoft ISPU Test.............................1.3.6.1.4.1.311.19
Microsoft Enrollment Infrastructure..............1.3.6.1.4.1.311.20
szOID_AUTO_ENROLL_CTL_USAGE 1.3.6.1.4.1.311.20.1
Extension contain certificate type
szOID_ENROLL_CERTTYPE_EXTENSION 1.3.6.1.4.1.311.20.2
szOID_ENROLLMENT_AGENT 1.3.6.1.4.1.311.20.2.1
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
szOID_CERT_MANIFOLD 1.3.6.1.4.1.311.20.3
Microsoft CertSrv Infrastructure.................1.3.6.1.4.1.311.21
CertSrv (with associated encoders/decoders)
szOID_CERTSRV_CA_VERSION 1.3.6.1.4.1.311.21.1
Microsoft Directory Service.....................1.3.6.1.4.1.311.25
szOID_NTDS_REPLICATION 1.3.6.1.4.1.311.25.1
IIS.............................................1.3.6.1.4.1.311.30
Windows updates and service packs...............1.3.6.1.4.1.311.31
szOID_PRODUCT_UPDATE 1.3.6.1.4.1.311.31.1
Fonts...........................................1.3.6.1.4.1.311.40
Microsoft Licensing and Registration............1.3.6.1.4.1.311.41
Microsoft Corporate PKI (ITG)...................1.3.6.1.4.1.311.42
CAPICOM.........................................1.3.6.1.4.1.311.88
szOID_CAPICOM 1.3.6.1.4.1.311.88 Reserved for CAPICOM.
szOID_CAPICOM_VERSION 1.3.6.1.4.1.311.88.1 CAPICOM version
szOID_CAPICOM_ATTRIBUTE 1.3.6.1.4.1.311.88.2 CAPICOM attribute
szOID_CAPICOM_DOCUMENT_NAME 1.3.6.1.4.1.311.88.2.1 Document type attribute
szOID_CAPICOM_DOCUMENT_DESCRIPTION 1.3.6.1.4.1.311.88.2.2 Document description attribute
szOID_CAPICOM_ENCRYPTED_DATA 1.3.6.1.4.1.311.88.3 CAPICOM encrypted data message.
szOID_CAPICOM_ENCRYPTED_CONTENT 1.3.6.1.4.1.311.88.3.1 CAPICOM content of encrypted data.
Microsoft OID...................................1.3.6.1.4.1.311
Authenticode....................................1.3.6.1.4.1.311.2
Software Publishing (with associated encoders/decoders)
SPC_INDIRECT_DATA_OBJID 1.3.6.1.4.1.311.2.1.4
SPC_STATEMENT_TYPE_OBJID 1.3.6.1.4.1.311.2.1.11
SPC_SP_OPUS_INFO_OBJID 1.3.6.1.4.1.311.2.1.12
SPC_PE_IMAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.15
SPC_SP_AGENCY_INFO_OBJID 1.3.6.1.4.1.311.2.1.10
SPC_MINIMAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.26
SPC_FINANCIAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.27
SPC_LINK_OBJID 1.3.6.1.4.1.311.2.1.28
SPC_HASH_INFO_OBJID 1.3.6.1.4.1.311.2.1.29
SPC_SIPINFO_OBJID 1.3.6.1.4.1.311.2.1.30
Software Publishing (with NO associated encoders/decoders)
SPC_CERT_EXTENSIONS_OBJID 1.3.6.1.4.1.311.2.1.14
SPC_RAW_FILE_DATA_OBJID 1.3.6.1.4.1.311.2.1.18
SPC_STRUCTURED_STORAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.19
SPC_JAVA_CLASS_DATA_OBJID 1.3.6.1.4.1.311.2.1.20
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
SPC_CAB_DATA_OBJID 1.3.6.1.4.1.311.2.1.25
SPC_GLUE_RDN_OBJID 1.3.6.1.4.1.311.2.1.25
CTL for Software Publishers Trusted CAs 1.3.6.1.4.1.311.2.2
(sub-subtree is defined for Software Publishing trusted CAs)
szOID_TRUSTED_CODESIGNING_CA_LIST 1.3.6.1.4.1.311.2.2.1
szOID_TRUSTED_CLIENT_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.2
szOID_TRUSTED_SERVER_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.3
Time Stamping...................................1.3.6.1.4.1.311.3
(with Associated encoder/decoders)
SPC_TIME_STAMP_REQUEST_OBJID 1.3.6.1.4.1.311.3.2.1
Permissions.....................................1.3.6.1.4.1.311.4
Crypto 2.0......................................1.3.6.1.4.1.311.10
PKCS #7 ContentType Object Identifier for Certificate Trust List (CTL)
szOID_CTL 1.3.6.1.4.1.311.10.1
Sorted CTL Extension
szOID_SORTED_CTL 1.3.6.1.4.1.311.10.1.1
Next Update Location extension or attribute. Value is an encoded GeneralNames
szOID_NEXT_UPDATE_LOCATION 1.3.6.1.4.1.311.10.2
Enhanced Key Usage (Purpose)
Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING 1.3.6.1.4.1.311.10.3.1
Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING 1.3.6.1.4.1.311.10.3.2
Can use strong encryption in export environment
szOID_SERVER_GATED_CRYPTO 1.3.6.1.4.1.311.10.3.3
szOID_SERIALIZED 1.3.6.1.4.1.311.10.3.3.1
Can use encrypted file systems (EFS)
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_EFS_RECOVERY 1.3.6.1.4.1.311.10.3.4.1
Can use Windows Hardware Compatible (WHQL)
szOID_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.5
Signed by the NT5 build lab
szOID_NT5_CRYPTO 1.3.6.1.4.1.311.10.3.6
Signed by and OEM of WHQL
szOID_OEM_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.7
Signed by the Embedded NT
szOID_EMBEDDED_NT_CRYPTO 1.3.6.1.4.1.311.10.3.8
Signer of a CTL containing trusted roots
szOID_ROOT_LIST_SIGNER 1.3.6.1.4.1.311.10.3.9
Can sign cross-cert and subordinate CA requests with qualified
subordination (name constraints, policy mapping, etc.)
szOID_KP_QUALIFIED_SUBORDINATION 1.3.6.1.4.1.311.10.3.10
Can be used to encrypt/recover escrowed keys
szOID_KP_KEY_RECOVERY 1.3.6.1.4.1.311.10.3.11
Signer of documents
szOID_KP_DOCUMENT_SIGNING 1.3.6.1.4.1.311.10.3.12
Limits the valid lifetime of the signature to the lifetime of the certificate.
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
szOID_KP_MOBILE_DEVICE_SOFTWARE 1.3.6.1.4.1.311.10.3.14
Microsoft Attribute Object Identifiers
szOID_YESNO_TRUST_ATTR 1.3.6.1.4.1.311.10.4.1
Microsoft Music
szOID_DRM 1.3.6.1.4.1.311.10.5.1
Microsoft DRM EKU
szOID_DRM_INDIVIDUALIZATION 1.3.6.1.4.1.311.10.5.2
Microsoft Licenses
szOID_LICENSES 1.3.6.1.4.1.311.10.6.1
szOID_LICENSE_SERVER 1.3.6.1.4.1.311.10.6.2
Microsoft CERT_RDN attribute Object Identifiers
szOID_MICROSOFT_RDN_PREFIX 1.3.6.1.4.1.311.10.7
Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
szOID_KEYID_RDN 1.3.6.1.4.1.311.10.7.1
Microsoft extension in a CTL to add or remove the certificates. The
extension type is an INTEGER. 0 => add certificate, 1 => remove certificate
szOID_REMOVE_CERTIFICATE 1.3.6.1.4.1.311.10.8.1
Microsoft certificate extension containing cross certificate distribution
points. ASN.1 encoded as follows:
CrossCertDistPoints ::= SEQUENCE {
syncDeltaTime INTEGER (0..4294967295) OPTIONAL,
crossCertDistPointNames CrossCertDistPointNames
} --#public--
CrossCertDistPointNames ::= SEQUENCE OF GeneralNames
szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1
Microsoft CMC OIDs 1.3.6.1.4.1.311.10.10
Similar to szOID_CMC_ADD_EXTENSIONS. Attributes replaces Extensions.
szOID_CMC_ADD_ATTRIBUTES 1.3.6.1.4.1.311.10.10.1
Microsoft certificate property OIDs 1.3.6.1.4.1.311.10.11
The OID component following the prefix contains the PROP_ID (decimal)
szOID_CERT_PROP_ID_PREFIX 1.3.6.1.4.1.311.10.11.
CryptUI 1.3.6.1.4.1.311.10.12
szOID_ANY_APPLICATION_POLICY 1.3.6.1.4.1.311.10.12.1
Catalog.........................................1.3.6.1.4.1.311.12
szOID_CATALOG_LIST 1.3.6.1.4.1.311.12.1.1
szOID_CATALOG_LIST_MEMBER 1.3.6.1.4.1.311.12.1.2
CAT_NAMEVALUE_OBJID 1.3.6.1.4.1.311.12.2.1
CAT_MEMBERINFO_OBJID 1.3.6.1.4.1.311.12.2.2
Microsoft PKCS10 OIDs...........................1.3.6.1.4.1.311.13
szOID_RENEWAL_CERTIFICATE 1.3.6.1.4.1.311.13.1
szOID_ENROLLMENT_NAME_VALUE_PAIR 1.3.6.1.4.1.311.13.2.1
szOID_ENROLLMENT_CSP_PROVIDER 1.3.6.1.4.1.311.13.2.2
szOID_OS_VERSION 1.3.6.1.4.1.311.13.2.3
Microsoft Java..................................1.3.6.1.4.1.311.15
Microsoft Outlook/Exchange......................1.3.6.1.4.1.311.16
Used by OL/OLEXP to identify which certificate signed the PKCS # 7 message
szOID_MICROSOFT_Encryption_Key_Preference 1.3.6.1.4.1.311.16.4
Microsoft PKCS12 attributes.....................1.3.6.1.4.1.311.17
szOID_LOCAL_MACHINE_KEYSET 1.3.6.1.4.1.311.17.1
Microsoft Hydra.................................1.3.6.1.4.1.311.18
License Info root
szOID_PKIX_LICENSE_INFO 1.3.6.1.4.1.311.18.1
Manufacturer value
szOID_PKIX_MANUFACTURER 1.3.6.1.4.1.311.18.2
Manufacturer Specfic Data
szOID_PKIX_MANUFACTURER_MS_SPECIFIC 1.3.6.1.4.1.311.18.3
OID for Certificate Version Stamp
szOID_PKIX_HYDRA_CERT_VERSION 1.3.6.1.4.1.311.18.4
OID for License Server to identify licensed product.
szOID_PKIX_LICENSED_PRODUCT_INFO 1.3.6.1.4.1.311.18.5
OID for License Server specific info.
szOID_PKIX_MS_LICENSE_SERVER_INFO 1.3.6.1.4.1.311.18.6
Extension OID reserved for product policy module - only one is allowed.
szOID_PKIS_PRODUCT_SPECIFIC_OID 1.3.6.1.4.1.311.18.7
szOID_PKIS_TLSERVER_SPK_OID 1.3.6.1.4.1.311.18.8
Microsoft ISPU Test.............................1.3.6.1.4.1.311.19
Microsoft Enrollment Infrastructure.............1.3.6.1.4.1.311.20
szOID_AUTO_ENROLL_CTL_USAGE 1.3.6.1.4.1.311.20.1
Extension contain certificate type
szOID_ENROLL_CERTTYPE_EXTENSION 1.3.6.1.4.1.311.20.2
szOID_ENROLLMENT_AGENT 1.3.6.1.4.1.311.20.2.1
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
szOID_CERT_MANIFOLD 1.3.6.1.4.1.311.20.3
Microsoft CertSrv Infrastructure................1.3.6.1.4.1.311.21
CertSrv (with associated encoders/decoders)
szOID_CERTSRV_CA_VERSION 1.3.6.1.4.1.311.21.1
Contains the sha1 hash of the previous version of the CA certificate.
szOID_CERTSRV_PREVIOUS_CERT_HASH 1.3.6.1.4.1.311.21.2
Delta CRLs only. Contains the base CRL Number of the corresponding base CRL.
szOID_CRL_VIRTUAL_BASE 1.3.6.1.4.1.311.21.3
Contains the time when the next CRL is expected to be published. This may be sooner than the CRL's NextUpdate field.
szOID_CRL_NEXT_PUBLISH 1.3.6.1.4.1.311.21.4
Enhanced Key Usage for CA encryption certificate
szOID_KP_CA_EXCHANGE 1.3.6.1.4.1.311.21.5
Enhanced Key Usage for key recovery agent certificate
szOID_KP_KEY_RECOVERY_AGENT 1.3.6.1.4.1.311.21.6
Certificate template extension (v2)
szOID_CERTIFICATE_TEMPLATE 1.3.6.1.4.1.311.21.7
The root oid for all enterprise specific oids
szOID_ENTERPRISE_OID_ROOT 1.3.6.1.4.1.311.21.8
Dummy signing Subject RDN
szOID_RDN_DUMMY_SIGNER 1.3.6.1.4.1.311.21.9
Application Policies extension -- same encoding as szOID_CERT_POLICIES
szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10
Application Policy Mappings -- same encoding as szOID_POLICY_MAPPINGS
szOID_APPLICATION_POLICY_MAPPINGS 1.3.6.1.4.1.311.21.11
Application Policy Constraints -- same encoding as szOID_POLICY_CONSTRAINTS
szOID_APPLICATION_POLICY_CONSTRAINTS 1.3.6.1.4.1.311.21.12
szOID_ARCHIVED_KEY_ATTR 1.3.6.1.4.1.311.21.13
szOID_CRL_SELF_CDP 1.3.6.1.4.1.311.21.14
Requires all certificates below the root to have a non-empty intersecting issuance certificate policy usage.
szOID_REQUIRE_CERT_CHAIN_POLICY 1.3.6.1.4.1.311.21.15
szOID_ARCHIVED_KEY_CERT_HASH 1.3.6.1.4.1.311.21.16
szOID_ISSUED_CERT_HASH 1.3.6.1.4.1.311.21.17
Enhanced key usage for DS email replication
szOID_DS_EMAIL_REPLICATION 1.3.6.1.4.1.311.21.19
szOID_REQUEST_CLIENT_INFO 1.3.6.1.4.1.311.21.20
szOID_ENCRYPTED_KEY_HASH 1.3.6.1.4.1.311.21.21
szOID_CERTSRV_CROSSCA_VERSION 1.3.6.1.4.1.311.21.22
Microsoft Directory Service.....................1.3.6.1.4.1.311.25
szOID_NTDS_REPLICATION 1.3.6.1.4.1.311.25.1
IIS.............................................1.3.6.1.4.1.311.30
szOID_IIS_VIRTUAL_SERVER 1.3.6.1.4.1.311.30.1
Microsoft WWOps BizExt..........................1.3.6.1.4.1.311.43
Microsoft Peer Networking.......................1.3.6.1.4.1.311.44
Subtrees for genaral use including pnrp, IM, and grouping
szOID_PEERNET_GENERAL
szOID_PEERNET_PNRP 1.3.6.1.4.1.311.44.1
szOID_PEERNET_IDENTITY 1.3.6.1.4.1.311.44.2
szOID_PEERNET_GROUPING 1.3.6.1.4.1.311.44.3
Property that contains the type of the certificate (GMC, GRC, etc.)
szOID_PEERNET_CERT_TYPE 1.3.6.1.4.1.311.44.0.1
Type of the value in the 'other' name: peer name
szOID_PEERNET_PEERNAME 1.3.6.1.4.1.311.44.0.2
Type : classifier
szOID_PEERNET_CLASSIFIER 1.3.6.1.4.1.311.44.0.3
Property containing the version of the certificate
szOID_PEERNET_CERT_VERSION 1.3.6.1.4.1.311.44.0.4
PNRP specific properties
szOID_PEERNET_PNRP_ADDRESS 1.3.6.1.4.1.311.44.1.1
szOID_PEERNET_PNRP_FLAGS 1.3.6.1.4.1.311.44.1.2
szOID_PEERNET_PNRP_PAYLOAD 1.3.6.1.4.1.311.44.1.3
szOID_PEERNET_PNRP_ID 1.3.6.1.4.1.311.44.1.4
Identity flags, placeholder
szOID_PEERNET_IDENTITY_FLAGS 1.3.6.1.4.1.311.44.2.2
Peer name of the group
szOID_PEERNET_GROUPING_PEERNAME 1.3.6.1.4.1.311.44.3.1
Group flags: placeholder
szOID_PEERNET_GROUPING_FLAGS 1.3.6.1.4.1.311.44.3.2
List of roles in the GMC
szOID_PEERNET_GROUPING_ROLES 1.3.6.1.4.1.311.44.3.3
List of classifiers in the GMC
szOID_PEERNET_GROUPING_CLASSIFIERS 1.3.6.1.4.1.311.44.3.5
Mobile Devices Code Signing.....................1.3.6.1.4.1.311.45
CAPICOM.........................................1.3.6.1.4.1.311.88
Reserved for CAPICOM.
szOID_CAPICOM 1.3.6.1.4.1.311.88
CAPICOM version
szOID_CAPICOM_VERSION 1.3.6.1.4.1.311.88.1
CAPICOM attribute
szOID_CAPICOM_ATTRIBUTE 1.3.6.1.4.1.311.88.2
Document type attribute
szOID_CAPICOM_DOCUMENT_NAME 1.3.6.1.4.1.311.88.2.1
Document description attribute
szOID_CAPICOM_DOCUMENT_DESCRIPTION 1.3.6.1.4.1.311.88.2.2
CAPICOM encrypted data message.
szOID_CAPICOM_ENCRYPTED_DATA 1.3.6.1.4.1.311.88.3
CAPICOM content of encrypted data.
szOID_CAPICOM_ENCRYPTED_CONTENT 1.3.6.1.4.1.311.88.3.1
Related
I'm trying to generate a GPG Key following this tutorial: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key but I'm getting the following End of file error:
% gpg --full-generate-key
gpg (GnuPG) 2.3.6; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: name
Email address: email
Comment: comment
You selected this USER-ID:
"name (comment) <email>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: End of file
Key generation failed: End of file
Versions:
gpg (GnuPG) 2.3.6
libgcrypt 1.10.1
Do you know how can I solve this End of file issue?
Thank you in advance!
Are you using MacOS? I've had the same problem with the currently latest GnuPG OSX version (2.3.6) which didn't work for me either. Try using LTS version (2.2.35). It worked fine for me.
Link: https://sourceforge.net/p/gpgosx/docu/Download/
I have the SmartCard HSM usb plugged in to my laptop. I can see it when I run a command thru an application using the PKCS#11 API:
Slot 0
Slot info:
Description: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511725602
Manufacturer ID: Identiv
Hardware version: 2.2
Firmware version: 0.0
Token present: yes
Token info:
Manufacturer ID: www.CardContact.de
Model: PKCS#15 emulated
Hardware version: 24.13
Firmware version: 2.5
Serial number: DECC0300697
Initialized: yes
User PIN init.: yes
Label: UserPIN (SmartCard-HSM)
Its been initialized with a SO-PIN and USER-PIN.
When I try to login in to the HSM using C_Login, I get a CKR_DEVICE_REMOVED error back. The usb HSM is still plugged in. I have googled the error but nothing fruitful came up.
login_token -LOGIN user -SLOT 0 -UPIN user-pin
EROR: rv=0x00000032: Could not log in on the token.
How can I login to the HSM ?
Following text is the description of CKR_DEVICE_REMOVED error from PKCS#11 v2.20 specification:
CKR_DEVICE_REMOVED: The token was removed from its slot during the
execution of the function.
If you did not attach/detach new reader and did not insert/remove smartcard once the PKCS#11 library was loaded then I don't see any obvious reason why you are receiving this error.
However you are using PKCS#11 library provided by OpenSC project so you can enable its debugging via environment variable or configuration file. You may be able to find the cause of the error by exploring the debug output yourself. If not, then your best bet is to open new OpenSC issue and discuss your problem with OpenSC project members.
I am writing a program to sign a pdf using certificate (pfx file). For few of the certificates I am getting below exception.
java.security.InvalidAlgorithmParameterException: Salt must be at least 8 bytes long
This happens when I execute the below code.
Keystore ks = KeyStore.getInstance("pkcs12");
I am getting an exception in the below java file at line number 123.
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/crypto/provider/HmacPKCS12PBESHA1.java?av=h
Your keystore has one or more certificate(s) that has a salt length which is less than 8. The crypto program requires atleast 8 bytes.
I would recommend creating a new keystore with just the one certificate that you need and try signing with that.
I resolved the exception using pkcs12-DEF keystore. I have added my code lines below.
BouncyCastleProvider provider = new BouncyCastleProvider();
Security.addProvider(provider);
KeyStore ks = KeyStore.getInstance("pkcs12-DEF");
Earlier I had not added BountyCastleProvider to Security, because of which I was not able to get instance of pkcs12-DEF keystore.
Apart from this I have also downloaded jar files from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html location and replaced it with jar files present in Java\Jdk1.7\jre\lib\security. These are JCE 7 Unlimited strength policy files.
My goal: implement SSO on a java-based web application.
My problem: I'm not a security guy...
After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).
I used the samples in the following project:
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample
I realized that I need to create a keytab. When I tried to use the keytab I got the following error:
javax.security.auth.login.LoginException: Unable to obtain password from user
Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.
So I decided to check my keytab and see if it's ok.
First, this is last command (after a long evolution) I used to create my keytab:
ktpass /out http-web.keytab /mapuser MyUser#MYDOMAIN.COM /princ HTTP/MyUser#MYDOMAIN.COM /pass MyPass /ptype KRB5_NT_PRINCIPAL
Of course I created an SPN for MyUser with the following command:
setspn -a HTTP/MyUser#MYDOMAIN.COM MYDOMAIN.COM\MyUser
I tested the spn with the the following:
setspn -Q HTTP/MyUser#MYDOMAIN.COM
And got a successful result:
Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
HTTP/MyUser
HTTP/MyUser#MYDOMAIN.COM
Existing SPN found!
Now I wanted to test if I can obtain a ticket for MyUser by running the following command:
kinit MyUser#MYDOMAIN.COM
I got a successful result ("new ticket is stored in cache file....")
Now I wanted to test it with my keytab:
kinit MyUser#MYDOMAIN.COM -k -t http-web.keytab
Got the following exception:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
I used klist tool to see if my keytab contains any keys:
klist -e -K -k -t http-web.keytab
Got the following result:
KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00
As a last desperate attempt, I checked the following account options for MyUser:
Use Kerberos DES encryption types for this account
The account suppoerts Kerberos AES 128 bit encryption
The account suppoerts Kerberos AES 256 bit encryption
I'm not sure if setting these options caused it, but now when I run
kinit MyUser#MYDOMAIN.COM
I get the following error:
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error).
If anyone can guide me through here it would be much appreciated.
Thanks,
Lior
Turned out to be a stupid mistake.
I injected in spring the user account instead of the principal name as the servicePrincipal.
When I deploy Solr 3.1 to Jboss application server (version 6.0 final) I got the following exception message:
Failed to create Resource solr.war - cause: java.lang.Exception:Failed to start deployment [vfs:///D:/jboss-6.0.0.Final/server/default/deploy/solr.war] during deployment of 'solr.war' - cause: java.lang.RuntimeException:org.jboss.deployers.client.spi.IncompleteDeploymentException: Summary of incomplete deployments (SEE PREVIOUS ERRORS FOR DETAILS): * DEPLOYMENTS IN ERROR: Name -> Error vfs:///D:/jboss-6.0.0.Final/server/default/deploy/solr.war -> org.jboss.deployers.spi.DeploymentException: Error creating managed object for vfs:///D:/jboss-6.0.0.Final/server/default/deploy/solr.war DEPLOYMENTS IN ERROR: Deployment "vfs:///D:/jboss-6.0.0.Final/server/default/deploy/solr.war" is in error due to the following reason(s): org.xml.sax.SAXException: Element type "tlibversion" must be declared. # vfs:///D:/jboss-6.0.0.Final/server/default/deploy/solr.war/WEB-INF/lib/velocity-tools-2.0-beta3.jar/META-INF/velocity-view.tld[22,16] ->
I wonder why this error occurred.
I tried to deploy both Solr version 1.4 and 4.0 to the same server and no error was found.
(My deploy method: Use JBoss AS 6 Admin Console and Add "solr.war" as a new resource for standalone web application)
Thank you for attention and any help is regarded.
me again :) .... good news I fixed it I just edited this file: solr.war\WEB-INF\lib\velocity-tools-2.0-beta3.jar\META-INF\velocity-view.tld
to this (you copy and paste it as is):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE taglib PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN" "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<taglib>
<tlib-version>1.0</tlib-version>
<jsp-version>1.2</jsp-version>
<short-name>velocity</short-name>
<uri>http://velocity.apache.org/velocity-view</uri>
<display-name>VelocityView Tag</display-name>
<description><![CDATA[Support for using Velocity and VelocityTools within JSP files and tags.
This makes it trivial to render VTL (Velocity Template Language)
or process a Velocity template from within JSP using the current
context. This also provides the typical VelocityView support
for accessing and configuring both custom and provided
VelocityTools.]]></description>
<tag>
<name>view</name>
<tag-class>org.apache.velocity.tools.view.jsp.VelocityViewTag</tag-class>
<body-content>tagdependent</body-content>
<attribute>
<name>id</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<description><![CDATA[A id unique to this usage of the VelocityViewTag. This id is used to uniquely identify this tag in log messages and hopefully at some point serve as a key under which any body for this tag may be cached as an already-parsed template for improved performance. If no id is specified, then a unique is automatically generated, though that will understandably be less useful in log messages.]]></description>
</attribute>
<attribute>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<description><![CDATA[A variable name whose value should be set to the rendered result of this tag.]]></description>
</attribute>
<attribute>
<name>scope</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<description><![CDATA[This property is meaningless unless a 'var' attribute is also set. When it is, this determines the scope into which the resulting variable is set.]]></description>
</attribute>
<attribute>
<name>template</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<description><![CDATA[The name of a template to be requested from the configured Velocity resource loaders and rendered into the page (or variable if the 'var' attribute is set) using the current context. If this tag also has body content, then the body will be rendered first and placed into the context used to render the template as '$bodyContent'; this approximates the "two-pass render" used by the VelocityLayoutServlet.]]></description>
</attribute>
<attribute>
<name>bodyContentKey</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<description><![CDATA[This property is meaningless unless a 'template' attribute is set and the tag has body content in it. When it is, this changes the key under which the rendered result of the body content is placed into the context for use by the specified template. The default value is "bodyContent" and should be sufficient for nearly all users.]]></description>
</attribute>
</tag>
</taglib>