Certificate Profiles

KU / EKU registry + OID-field bindingsdemo
Click a profile name to open its detail page with KU / EKU checkboxes. Back to landing

Create certificate profile

A certificate profile defines the Key Usage bits, Extended Key Usage OIDs, and any extra extensions that will be embedded in issued certificates.

Key Usage (OID 2.5.29.15)

Extended Key Usage (OID 2.5.29.37)

OID fields from registry

Select OID field definitions that operators fill in at certificate issuance time.

Extra extensions

NameDisplay nameDescriptionKey UsageExtended Key UsageCAIn use
serverTLS ServerServer-auth profile for TLS endpointsdigitalSignature, keyEncipherment, keyAgreementserverAuth-92 / 0
clientTLS ClientClient-auth profiledigitalSignature, keyEncipherment, dataEncipherment, keyAgreementclientAuth-14 / 0
server_clientServer & ClientDual-use TLSdigitalSignature, keyEnciphermentserverAuth, clientAuth-5 / 0
vpnVPN GatewayIPSec / OpenVPN endpointsdigitalSignatureserverAuth, clientAuth-6 / 2
userEnd UserGeneric user certdigitalSignature, keyEnciphermentclientAuth, emailProtection-21 / 0
user_loginUser + Smartcard logonUser cert with Windows smartcard-logon OIDdigitalSignature, keyEnciphermentclientAuth, 1.3.6.1.4.1.311.20.2.2-18 / 1
smartcard_logonSmartcard logon onlyPure smartcard-logon EKUdigitalSignature1.3.6.1.4.1.311.20.2.2-2 / 0
smime_signS/MIME signingMail signingdigitalSignature, nonRepudiationemailProtection-9 / 0
code_signingCode signingBuild / release signingdigitalSignaturecodeSigning-4 / 1
timestampingTime-stamping authorityTSA cert (RFC 3161)digitalSignaturetimeStamping (critical)-1 / 0