intune
Entrust PKIaaS provides the following Intune certificate profiles.
- intune-digital-signature
- intune-digital-signature-key-encipherment
- intune-digital-signature-key-encipherment-clientauth
- intune-emailprotection-clientauth
- intune-key-encipherment
- intune-non-repudiation
These profiles support the following features.
Use cases
All Intune profiles support the following use cases.
- CA Gateway API
- PKIaaS
- On-prem enrollment workflow
Key usages
See below the Key Usage and Extended Key Usage (EKU) extension values supported by each Intune profile.
| Profile | Key Usage | Extended key usage | Allows Extended Key Usage in request |
|---|---|---|---|
| intune-digital-signature | Digital Signature | — | Yes |
| intune-digital-signature-key-encipherment | Digital Signature, Key Encipherment | — | Yes |
| intune-digital-signature-key-encipherment-clientauth | Digital Signature, Key Encipherment | TLS client authentication (with OID 1.3.6.1.5.5.7.3.2) |
No |
| intune-emailprotection-clientauth | Digital Signature, Key Encipherment | E-mail Protection (with OID 1.3.6.1.5.5.7.3.4), TLS client authentication (with OID 1.3.6.1.5.5.7.3.2) |
No |
| intune-key-encipherment | Key Encipherment | — | No |
| intune-non-repudiation | Digital Signature, Non Repudiation | — | No |
Certificate request extensions
Intune profiles support the following non-critical extensions in request.
| Extension name | Extension OID | Support |
|---|---|---|
| Application Policies | 1.3.6.1.4.1.311.21.10 | All Intune profiles |
| Certificate Policies | 2.5.29.32 | All Intune profiles |
| ExtendedKeyUsage | 2.5.29.37 | All Intune profiles except for intune-digital-signature-key-encipherment-clientauth & intune-emailprotection-clientauth |
| MSTemplateName | 1.3.6.1.4.1.311.20.2 | All Intune profiles |
| MSTemplateOID | 1.3.6.1.4.1.311.21.7 | All Intune profiles |
| Smime Capabilities | 1.2.840.113549.1.9.15 | All Intune profiles |
| szOID_NTDS_CA_SECURITY_EXT | 1.3.6.1.4.1.311.25.2 | All Intune profiles |
Certificate fields
All Intune profiles set the following certificate extensions.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint. |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Certificate extensions
All Intune profiles set the following certificate extensions.
| Extension | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches the subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=True, pathLenConstraint=1 |
| CRL Distribution Points | No | Always present |
| Key Usage | Yes | Certificate Signing, CRL Signing, Digital Signature |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
| CN, CommonName | 2.5.4.3 |
| SN, SurName | 2.5.4.4 |
| SERIALNUMBER, DeviceSerialNumber | 2.5.4.5 |
| C, Country | 2.5.4.6 |
| L, Locality | 2.5.4.7 |
| ST, S, State | 2.5.4.8 |
| STREET, StreetAddress | 2.5.4.9 |
| O, Org, Organization | 2.5.4.10 |
| OU, OrganizationalUnit, OrganizationUnit, OrgUnit | 2.5.4.11 |
| T, Title | 2.5.4.12 |
| BUSINESSCATEGORY | 2.5.4.15 |
| POSTALCODE | 2.5.4.17 |
| givenName, G | 2.5.4.42 |
| I, Initials | 2.5.4.43 |
| ORGANIZATIONIDENTIFIER | 2.5.4.97 |
| UID | 0.9.2342.19200300.100.1.1 |
| DC, DomainComponent | 0.9.2342.19200300.100.1.25 |
| Email, E | 1.2.840.113549.1.9.1 |
| unstructuredName | 1.2.840.113549.1.9.2 |
| unstructuredAddress | 1.2.840.113549.1.9.8 |
| JurisdictionOfIncorporationLocalityName | 1.3.6.1.4.1.311.60.2.1.1 |
| JurisdictionOfIncorporationStateOrProvinceName | 1.3.6.1.4.1.311.60.2.1.2 |
| JurisdictionOfIncorporationCountryName | 1.3.6.1.4.1.311.60.2.1.3 |
| TrademarkOfficeName | 1.3.6.1.4.1.53087.1.2 |
| TrademarkCountryOrRegionName | 1.3.6.1.4.1.53087.1.3 |
| TrademarkRegistration | 1.3.6.1.4.1.53087.1.4 |
| LegalEntityIdentifier | 1.3.6.1.4.1.53087.1.5 |
| WordMark | 1.3.6.1.4.1.53087.1.6 |
| MarkType | 1.3.6.1.4.1.53087.1.13 |
| StatuteCountryName | 1.3.6.1.4.1.53087.3.2 |
| StatuteStateOrProvinceName | 1.3.6.1.4.1.53087.3.3 |
| StatuteLocalityName | 1.3.6.1.4.1.53087.3.4 |
| StatuteCitation | 1.3.6.1.4.1.53087.3.5 |
| StatuteURL | 1.3.6.1.4.1.53087.3.6 |