intune

Entrust PKIaaS provides the following Intune certificate profiles.

These profiles support the following features.

Use cases

All Intune profiles support the following use cases.

See below the Key Usage and Extended Key Usage (EKU) extension values supported by each Intune profile.

Profile	Key Usage	Extended key usage	Allows Extended Key Usage in request
`intune-digital-signature`	Digital Signature	—	Yes
`intune-digital-signature-key-encipherment`	Digital Signature, Key Encipherment	—	Yes
`intune-digital-signature-key-encipherment-clientauth`	Digital Signature, Key Encipherment	TLS client authentication (with OID `1.3.6.1.5.5.7.3.2`)	No
`intune-emailprotection-clientauth`	Digital Signature, Key Encipherment	E-mail Protection (with OID `1.3.6.1.5.5.7.3.4`), TLS client authentication (with OID `1.3.6.1.5.5.7.3.2`)	No
`intune-key-encipherment`	Key Encipherment	—	No
`intune-non-repudiation`	Digital Signature, Non Repudiation	—	No

Intune profiles support the following non-critical extensions in request.

Extension name	Extension OID	Support
Application Policies	`1.3.6.1.4.1.311.21.10`	All Intune profiles
Certificate Policies	`2.5.29.32`	All Intune profiles
ExtendedKeyUsage	`2.5.29.37`	All Intune profiles except for `intune-digital-signature-key-encipherment-clientauth` & `intune-emailprotection-clientauth`
MSTemplateName	`1.3.6.1.4.1.311.20.2`	All Intune profiles
MSTemplateOID	`1.3.6.1.4.1.311.21.7`	All Intune profiles
Smime Capabilities	`1.2.840.113549.1.9.15`	All Intune profiles
`szOID_NTDS_CA_SECURITY_EXT`	`1.3.6.1.4.1.311.25.2`	All Intune profiles

All Intune profiles set the following certificate extensions.

Field	Value
Issuer	Customer’s subordinate issuing CA.
Subject	No constraint.
Validity period	Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

All Intune profiles set the following certificate extensions.

Extension	Critical	Value
AIA	No	Supplied if the customer enables OCSP when creating the CA
Authority Key Identifier	No	Matches the `subjectKeyIdentifier` of the signing certificate
Basic Constraints	Yes	`cA=True, pathLenConstraint=1`
CRL Distribution Points	No	Always present
Key Usage	Yes	Certificate Signing, CRL Signing, Digital Signature
Subject Alternative Name	No	No constraints
Subject Key Identifier	No	«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias	OID
`CN`, `CommonName`	`2.5.4.3`
`SN`, `SurName`	`2.5.4.4`
`SERIALNUMBER`, `DeviceSerialNumber`	`2.5.4.5`
`C`, `Country`	`2.5.4.6`
`L`, `Locality`	`2.5.4.7`
`ST`, `S`, `State`	`2.5.4.8`
`STREET`, `StreetAddress`	`2.5.4.9`
`O`, `Org`, `Organization`	`2.5.4.10`
`OU`, `OrganizationalUnit`, `OrganizationUnit`, `OrgUnit`	`2.5.4.11`
`T`, `Title`	`2.5.4.12`
`BUSINESSCATEGORY`	`2.5.4.15`
`POSTALCODE`	`2.5.4.17`
`givenName`, `G`	`2.5.4.42`
`I`, `Initials`	`2.5.4.43`
`ORGANIZATIONIDENTIFIER`	`2.5.4.97`
`UID`	`0.9.2342.19200300.100.1.1`
`DC`, `DomainComponent`	`0.9.2342.19200300.100.1.25`
`Email`, `E`	`1.2.840.113549.1.9.1`
`unstructuredName`	`1.2.840.113549.1.9.2`
`unstructuredAddress`	`1.2.840.113549.1.9.8`
`JurisdictionOfIncorporationLocalityName`	`1.3.6.1.4.1.311.60.2.1.1`
`JurisdictionOfIncorporationStateOrProvinceName`	`1.3.6.1.4.1.311.60.2.1.2`
`JurisdictionOfIncorporationCountryName`	`1.3.6.1.4.1.311.60.2.1.3`
`TrademarkOfficeName`	`1.3.6.1.4.1.53087.1.2`
`TrademarkCountryOrRegionName`	`1.3.6.1.4.1.53087.1.3`
`TrademarkRegistration`	`1.3.6.1.4.1.53087.1.4`
`LegalEntityIdentifier`	`1.3.6.1.4.1.53087.1.5`
`WordMark`	`1.3.6.1.4.1.53087.1.6`
`MarkType`	`1.3.6.1.4.1.53087.1.13`
`StatuteCountryName`	`1.3.6.1.4.1.53087.3.2`
`StatuteStateOrProvinceName`	`1.3.6.1.4.1.53087.3.3`
`StatuteLocalityName`	`1.3.6.1.4.1.53087.3.4`
`StatuteCitation`	`1.3.6.1.4.1.53087.3.5`
`StatuteURL`	`1.3.6.1.4.1.53087.3.6`