{"id":27867760,"url":"https://github.com/ralish/certuiexts","last_synced_at":"2026-05-07T23:33:32.044Z","repository":{"id":58991170,"uuid":"528596312","full_name":"ralish/CertUiExts","owner":"ralish","description":"A library which extends Windows cryptography support for displaying additional OIDs and associated certificate extensions","archived":false,"fork":false,"pushed_at":"2025-12-15T07:41:13.000Z","size":184,"stargazers_count":4,"open_issues_count":14,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-12-16T04:13:52.566Z","etag":null,"topics":["certificates","security","windows","x509"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ralish.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-08-24T21:14:03.000Z","updated_at":"2025-12-15T07:41:16.000Z","dependencies_parsed_at":"2025-01-27T11:38:20.451Z","dependency_job_id":"98ec96b1-02f8-4c6b-b6dd-8495de1cd10f","html_url":"https://github.com/ralish/CertUiExts","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/ralish/CertUiExts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ralish%2FCertUiExts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ralish%2FCertUiExts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ralish%2FCertUiExts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ralish%2FCertUiExts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ralish","download_url":"https://codeload.github.com/ralish/CertUiExts/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ralish%2FCertUiExts/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32760101,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-07T02:14:30.463Z","status":"ssl_error","status_checked_at":"2026-05-07T02:14:29.405Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","security","windows","x509"],"created_at":"2025-05-04T22:53:27.894Z","updated_at":"2026-05-07T23:33:32.038Z","avatar_url":"https://github.com/ralish.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"CertUiExts\n==========\n\n![GitHub Release](https://img.shields.io/github/v/release/ralish/CertUiExts?include_prereleases)\n[![azure devops](https://dev.azure.com/nexiom/CertUiExts/_apis/build/status/CertUiExts)](https://dev.azure.com/nexiom/CertUiExts/_build/latest?definitionId=1)\n[![license](https://img.shields.io/github/license/ralish/QueryHardwareSecurity)](https://choosealicense.com/licenses/mit/)\n\nA library which extends Windows cryptography support for displaying additional OIDs and associated certificate extensions.\n\n- [Requirements](#requirements)\n- [Setup](#setup)\n  - [Installing](#installing)\n  - [Uninstalling](#uninstalling)\n- [Usage](#usage)\n- [Object identifiers (OIDs)](#object-identifiers-oids)\n  - [Adobe](#adobe)\n  - [CA/Browser Forum](#cabrowser-forum)\n  - [DigiCert](#digicert)\n  - [Entrust](#entrust)\n  - [Microsoft](#microsoft)\n  - [Netscape](#netscape)\n  - [Sectigo](#sectigo)\n  - [Verisign](#verisign)\n- [Security](#security)\n  - [Build security](#build-security)\n  - [Windows integration](#windows-integration)\n- [License](#license)\n\nRequirements\n------------\n\n- Windows Vista or Server 2008 (or later)\n- Universal C Runtime (UCRT)  \n  *Built-in since Windows 10 and Server 2016*\n\nSetup\n-----\n\n### Installing\n\n1. Download the [latest release](https://github.com/ralish/CertUiExts/releases) which matches your Windows architecture (x86, x64, or ARM64)\n2. Unpack the archive to a location which is read-only for non-Administrators (e.g. `C:\\Program Files\\CertUiExts`)\n3. From an elevated command-line run the registration utility to install: `CertUiExtsReg.exe /i`\n\n### Uninstalling\n\n1. From an elevated command-line run the registration utility to uninstall: `CertUiExtsReg.exe /u`\n2. Delete the directory in which the files were unpacked (e.g. `C:\\Program Files\\CertUiExts`)\n\nUsage\n-----\n\nThe library registers its supported OIDs with the Windows cryptographic services, allowing applications which use the standard operating system cryptographic APIs to benefit from the custom OID formatting functions without any changes. This capability applies to both GUI and CLI applications.\n\nAn example of the Windows certificate UI displaying Azure AD OIDs:\n\n![Certificate UI](doc/CertUI.png)\n\nThe same certificate displayed using the `Certutil` utility:\n\n```plain\nC:\\\u003eCertutil -dump example.cer\nX509 Certificate:\nVersion: 3\n...\nCertificate Extensions: 7\n    2.5.29.19: Flags = 1(Critical), Length = 2\n    Basic Constraints\n        Subject Type=End Entity\n        Path Length Constraint=None\n\n    2.5.29.37: Flags = 1(Critical), Length = c\n    Enhanced Key Usage\n        Client Authentication (1.3.6.1.5.5.7.3.2)\n\n    1.2.840.113556.1.5.284.2: Flags = 0, Length = 13\n    Azure AD: Device ID\n        \u003csnip\u003e\n\n    1.2.840.113556.1.5.284.3: Flags = 0, Length = 13\n    Azure AD: User ID\n        \u003csnip\u003e\n\n    1.2.840.113556.1.5.284.5: Flags = 0, Length = 13\n    Azure AD: Tenant ID\n        \u003csnip\u003e\n\n    1.2.840.113556.1.5.284.8: Flags = 0, Length = 5\n    Azure AD: Tenant Region\n        Oceania (OC)\n\n    1.2.840.113556.1.5.284.7: Flags = 0, Length = 4\n    Azure AD: Join Type\n        Joined (1)\n...\nCertUtil: -dump command completed successfully.\n```\n\nObject identifiers (OIDs)\n-------------------------\n\n### Adobe\n\n| OID                    | Type | Description               |\n| ---------------------- | ---- | ------------------------- |\n| `1.2.840.113583.1.1.5` | EKU  | Authentic Documents Trust |\n\n### CA/Browser Forum\n\n| OID                | Type               | Description                                              |\n| ------------------ | ------------------ | -------------------------------------------------------- |\n| `2.23.140.1.1`     | Certificate Policy | Extended Validation (EV) TLS Certificate                 |\n| `2.23.140.1.2.1`   | Certificate Policy | Domain Validated (DV) TLS Certificate                    |\n| `2.23.140.1.2.2`   | Certificate Policy | Organization Validated (OV) TLS Certificate              |\n| `2.23.140.1.2.3`   | Certificate Policy | Individual Validated (IV) TLS Certificate                |\n| `2.23.140.1.3`     | Certificate Policy | Extended Validation (EV) Code Signing Certificate        |\n| `2.23.140.1.4.1`   | Certificate Policy | Code Signing Certificate                                 |\n| `2.23.140.1.4.2`   | Certificate Policy | Timestamping Certificate                                 |\n| `2.23.140.1.5.1.1` | Certificate Policy | Mailbox Validated S/MIME Certificate (Legacy)            |\n| `2.23.140.1.5.1.2` | Certificate Policy | Mailbox Validated S/MIME Certificate (Multipurpose)      |\n| `2.23.140.1.5.1.3` | Certificate Policy | Mailbox Validated S/MIME Certificate (Strict)            |\n| `2.23.140.1.5.2.1` | Certificate Policy | Organization Validated S/MIME Certificate (Legacy)       |\n| `2.23.140.1.5.2.2` | Certificate Policy | Organization Validated S/MIME Certificate (Multipurpose) |\n| `2.23.140.1.5.2.3` | Certificate Policy | Organization Validated S/MIME Certificate (Strict)       |\n| `2.23.140.1.5.3.1` | Certificate Policy | Sponsor Validated S/MIME Certificate (Legacy)            |\n| `2.23.140.1.5.3.2` | Certificate Policy | Sponsor Validated S/MIME Certificate (Multipurpose)      |\n| `2.23.140.1.5.3.3` | Certificate Policy | Sponsor Validated S/MIME Certificate (Strict)            |\n| `2.23.140.1.5.4.1` | Certificate Policy | Individual Validated S/MIME Certificate (Legacy)         |\n| `2.23.140.1.5.4.2` | Certificate Policy | Individual Validated S/MIME Certificate (Multipurpose)   |\n| `2.23.140.1.5.4.3` | Certificate Policy | Individual Validated S/MIME Certificate (Strict)         |\n\n### DigiCert\n\n| OID                       | Type               | Description                                       |\n| ------------------------- | ------------------ | ------------------------------------------------- |\n| `2.16.840.1.114412.1.1`   | Certificate Policy | Organization Validated (OV) TLS Certificate       |\n| `2.16.840.1.114412.1.2`   | Certificate Policy | Domain Validated (DV) TLS Certificate             |\n| `2.16.840.1.114412.2.1`   | Certificate Policy | Extended Validation (EV) TLS Certificate          |\n| `2.16.840.1.114412.3.1.1` | Certificate Policy | Code Signing Certificate                          |\n| `2.16.840.1.114412.3.2`   | Certificate Policy | Extended Validation (EV) Code Signing Certificate |\n| `2.16.840.1.114412.3.11`  | Certificate Policy | Windows Kernel Driver Code Signing Certificate    |\n| `2.16.840.1.114412.7.1`   | Certificate Policy | Timestamping Certificate                          |\n\n### Entrust\n\n| OID                          | Type               | Description                                              |\n| ---------------------------- | ------------------ | -------------------------------------------------------- |\n| `2.16.840.1.114027.40.11`    | EKU                | Document Signing                                         |\n| `2.16.840.1.114028.10.1.2`   | Certificate Policy | Extended Validation (EV) SSL or Code Signing Certificate |\n| `2.16.840.1.114028.10.1.3`   | Certificate Policy | Code Signing Certificate                                 |\n| `2.16.840.1.114028.10.1.4.1` | Certificate Policy | Client Certificate (Class 1)                             |\n| `2.16.840.1.114028.10.1.4.2` | Certificate Policy | Client Certificate (Class 2)                             |\n| `2.16.840.1.114028.10.1.5`   | Certificate Policy | SSL Certificate                                          |\n| `2.16.840.1.114028.10.1.6`   | Certificate Policy | Document Signing Certificate                             |\n| `2.16.840.1.114028.10.1.7`   | Certificate Policy | Timestamping Certificate                                 |\n| `2.16.840.1.114028.10.1.11`  | Certificate Policy | Verified Mark Certificate                                |\n| `2.16.840.1.114028.10.3.5`   | Certificate Policy | Timestamping Certificate                                 |\n\n### Microsoft\n\n#### Active Directory\n\n| OID                      | Type      | Description |\n| ------------------------ | --------- | ----------- |\n| `1.3.6.1.4.1.311.25.2`   | Extension | CA Security |\n| `1.3.6.1.4.1.311.25.2.1` | Extension | Object SID  |\n\n#### ASP.NET Core\n\n| OID                      | Type      | Description       |\n| ------------------------ | --------- | ----------------- |\n| `1.3.6.1.4.1.311.84.1.1` | Extension | HTTPS Development |\n\n#### Authenticode\n\n| OID                      | Type      | Description    |\n| ------------------------ | --------- | -------------- |\n| `1.3.6.1.4.1.311.2.1.11` | Attribute | Statement Type |\n| `1.3.6.1.4.1.311.2.1.12` | Attribute | Publisher Info |\n\n#### Certificate Services\n\n| OID                     | Type | Description           |\n| ----------------------- | ---- | --------------------- |\n| `1.3.6.1.4.1.311.21.36` | EKU  | Privacy CA Encryption |\n\n#### Defender for Endpoint\n\n| OID                      | Type      | Description        |\n| ------------------------ | --------- | ------------------ |\n| `1.3.6.1.4.1.311.126.6`  | Extension | Entra ID Tenant ID |\n| `1.3.6.1.4.1.311.126.20` | Extension | Entra ID Device ID |\n\n#### Entra ID\n\n| OID                        | Type      | Description            |\n| -------------------------- | --------- | ---------------------- |\n| `1.2.840.113556.1.5.284.1` | Extension | NTDS-DSA Invocation ID |\n| `1.2.840.113556.1.5.284.2` | Extension | Device ID              |\n| `1.2.840.113556.1.5.284.3` | Extension | User ID                |\n| `1.2.840.113556.1.5.284.4` | Extension | Domain ID              |\n| `1.2.840.113556.1.5.284.5` | Extension | Tenant ID              |\n| `1.2.840.113556.1.5.284.7` | Extension | Join Type              |\n| `1.2.840.113556.1.5.284.8` | Extension | Tenant Region          |\n\n#### Intune\n\n| OID                   | Type      | Description        |\n| --------------------- | --------- | ------------------ |\n| `1.2.840.113556.5.4`  | Extension | Device ID          |\n| `1.2.840.113556.5.6`  | Extension | Account ID         |\n| `1.2.840.113556.5.10` | Extension | User ID            |\n| `1.2.840.113556.5.14` | Extension | Entra ID Tenant ID |\n\n#### Security Catalogues\n\n| OID                      | Type      | Description             |\n| ------------------------ | --------- | ----------------------- |\n| `1.3.6.1.4.1.311.12.1.1` | Attribute | Security Catalogue List |\n| `1.3.6.1.4.1.311.12.1.2` | Attribute | Security Catalogue v1   |\n| `1.3.6.1.4.1.311.12.1.3` | Attribute | Security Catalogue v2   |\n\n#### Timestamping\n\n| OID                     | Type      | Description         |\n| ----------------------- | --------- | ------------------- |\n| `1.3.6.1.4.1.311.3.3.1` | Attribute | Timestamp Signature |\n\n### Netscape\n\n| OID                     | Type | Description                     |\n| ----------------------- | ---- | ------------------------------- |\n| `2.16.840.1.113730.4.1` | EKU  | Server Gated Cryptography (SGC) |\n\n### Sectigo\n\n| OID                          | Type   | Description                                       |\n| ---------------------------- | ------ | ------------------------------------------------- |\n| `1.3.6.1.4.1.6449.1.2.1.1.1` | Policy | S/MIME Certificate (Class 1)                      |\n| `1.3.6.1.4.1.6449.1.2.1.3.1` | Policy | TLS Certificate                                   |\n| `1.3.6.1.4.1.6449.1.2.1.3.2` | Policy | Code Signing Certificate                          |\n| `1.3.6.1.4.1.6449.1.2.1.3.4` | Policy | Organization Validated (OV) TLS Certificate       |\n| `1.3.6.1.4.1.6449.1.2.1.3.5` | Policy | S/MIME Certificate (Class 2)                      |\n| `1.3.6.1.4.1.6449.1.2.1.3.6` | Policy | S/MIME Certificate (Class 3)                      |\n| `1.3.6.1.4.1.6449.1.2.1.3.8` | Policy | Timestamping Certificate                          |\n| `1.3.6.1.4.1.6449.1.2.1.5.1` | Policy | Extended Validation (EV) TLS Certificate          |\n| `1.3.6.1.4.1.6449.1.2.1.6.1` | Policy | Extended Validation (EV) Code Signing Certificate |\n| `1.3.6.1.4.1.6449.1.2.1.6.6` | Policy | Document Signing (local)                          |\n| `1.3.6.1.4.1.6449.1.2.1.6.7` | Policy | Document Signing (remote)                         |\n| `1.3.6.1.4.1.6449.1.2.1.6.8` | Policy | Document Signing (external trusted partner)       |\n| `1.3.6.1.4.1.6449.1.2.2.7`   | Policy | Domain Validated (DV) TLS Certificate             |\n\n### Verisign\n\n| OID                       | Type | Description                     |\n| ------------------------- | ---- | ------------------------------- |\n| `2.16.840.1.113733.1.8.1` | EKU  | Server Gated Cryptography (SGC) |\n\nSecurity\n--------\n\n### Build security\n\nThe extension library and registration utility are built with support for the latest exploit mitigation features.\n\nCompilation features:\n\n- Buffer Security Check (`/GS`)\n- Control Flow Guard (CFG) (`/guard:cf`)\n- EH Continuation (EHCONT) metadata (*ARM64 / x64*) (`/guard:ehcont`)\n\nLinker features:\n\n- Data Execution Prevention (DEP) (`/NXCOMPAT`)\n- Address Space Layout Randomisation (ASLR) (`/DYNAMICBASE`)\n- High-entropy 64-bit ASLR (*ARM64 / x64*) (`/HIGHENTROPYVA`)\n- Control-flow Enforcement Technology (CET) Shadow Stack (*x86 / x64*) (`/CETCOMPAT`)\n- Reproducible (aka. deterministic) builds (`/Brepro`)\n\nMany of these mitigations require operating system support. On older Windows releases they will simply be ignored.\n\nBinaries are built using Azure Pipelines with the build steps located in [azure-pipelines.yml](azure-pipelines.yml).\n\n### Windows integration\n\nThe library uses documented Windows cryptographic interfaces to support displaying additional OIDs and formatting their extension data:\n\n- [CryptEnumOIDInfo](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumoidinfo)\n- [CryptFindOIDInfo](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptfindoidinfo)\n- [CryptFormatObject](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptformatobject)\n\nAll of these functions only take public information in certificates. Private cryptographic material is never passed to the library.\n\nRegistration and deregistration of the OID information and formatting functions is performed via the following documented APIs:\n\n- [CryptRegisterOIDFunction](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptregisteroidfunction)\n- [CryptRegisterOIDInfo](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptregisteroidinfo)\n- [CryptUnregisterOIDFunction](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptunregisteroidfunction)\n- [CryptUnregisterOIDInfo](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptunregisteroidinfo)\n\nLicense\n-------\n\nAll content is licensed under the terms of [The MIT License](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fralish%2Fcertuiexts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fralish%2Fcertuiexts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fralish%2Fcertuiexts/lists"}