An object identifier (OID) is a string of numbers identifying a unique object, such as a certificate extension or a company's certificate practice statement. The Certificate System comes with a set of extension-specific profile plug-in modules which enable X.509 certificate extensions to be added to the certificates the server issues. Some of the extensions contain fields for specifying OIDs.

The PKIX standard recommends that all objects, such as extensions and profile statements, that are used in certificates be included in the form of an OID. This promotes interoperability between organizations on a shared network. If certificates will be issued that will be used on shared networks, register the OID prefixes with the appropriate registration authority.

OIDs are controlled by the International Standards Organization (ISO) registration authority. In some cases, this authority is delegated by ISO to regional registration authorities. In the United States, the American National Standards Institute (ANSI) manages this registration.

Using an OID registered to another organization or failing to register an OID may carry legal consequences, depending the situation. Registration may be subject to fees. For more information, contact the appropriate registration authority.

To define or assign OIDs for custom objects, know the company's arc, an OID for a private enterprise. If the company does not have an arc, it needs to get one. The following site has more information on registering and using OIDs:

http://www.alvestrand.no/objectid/

For example, this site contains information on the Netscape-defined OID for an extension named Netscape Certificate Comment. The OID assigned to this extension is hierarchical and includes the former Netscape company arc, 2.16.840.1.

http://www.alvestrand.no/objectid/2.16.840.1.113730.1.13.html

If an OID extension exists in a certificate and is marked critical, the application validating the certificate must be able to interpret the extension, including any optional qualifiers, or it must reject the certificate. Since it is unlikely that all applications will be able to interpret a company's custom extensions embedded in the form of OIDs, the PKIX standard recommends that the extension be always marked noncritical.