PKIaaS provides the following MDMWS (Mobile Device Management Web Service) certificate profiles .

These profiles support the following features.

MDMWS use cases

All MDMWS profiles support the following use cases.

ECS Enterprise UI	CA Gateway API	Entrust-hosted Enrollment Gateway	On-prem Enrollment Gateway

MDMWS issuance modes and key usages

MDMWS profiles support the following issuance modes:

See below the issuance mode, Key Usage, and Extended Key Usage (EKU) values each Intune profile supports.

Profile	CSR	P12	Key Usage	Extended Key Usage	Allows Extended Key Usage in request
mdmws-digital-signature			Digital Signature	No constraints
mdmws-digital-signature-key-encipherment			Digital Signature, Key Encipherment	No constraints
mdmws-digital-signature-key-encipherment-clientauth			Digital Signature, Key Encipherment	TLS client authentication (1.3.6.1.5.5.7.3.2)
mdmws-key-encipherment			Key Encipherment	No constraints
mdmws-non-repudiation			Digital Signature, Non-Repudiation	No constraints
mdmws-p12-digital-signature			Digital Signature	No constraints
mdmws-p12-digital-signature-key-encipherment			Digital Signature, Key Encipherment	No constraints
mdmws-p12-digital-signature-key-encipherment-clientauth			Digital Signature, Key Encipherment	TLS client authentication (1.3.6.1.5.5.7.3.2)
mdmws-p12-key-encipherment			Key Encipherment	No constraints
mdmws-p12-non-repudiation			Digital Signature, Non-Repudiation	No constraints

All MDMWS profiles support the following non-critical extensions in request.

All MDMWS profiles set the following certificate fields.

Field	Value
Issuer	Customer's subordinate issuing CA.
Subject	No constraint.
Validity period	Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

All MDMWS profiles set the following certificate extension values.

All MDMWS profiles support the following key and signature algorithms.

PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias	OID
'CN' 'CommonName'	2.5.4.3
'SN' 'SurName'	2.5.4.4
'SERIALNUMBER' 'DeviceSerialNumber'	2.5.4.5
'C' 'Country'	2.5.4.6
'L' 'Locality'	2.5.4.7
'ST' 'S' 'State'	2.5.4.8
'STREET' 'StreetAddress'	2.5.4.9
'O' 'Org' 'Organization'	2.5.4.10
'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'	2.5.4.11
'T' 'Title'	2.5.4.12
'BUSINESSCATEGORY'	2.5.4.15
'POSTALCODE'	2.5.4.17
'givenName' 'G'	2.5.4.42
'I' 'Initials'	2.5.4.43
'ORGANIZATIONIDENTIFIER'	2.5.4.97
'UID'	0.9.2342.19200300.100.1.1
'DC' 'DomainComponent'	0.9.2342.19200300.100.1.25
'Email' 'E'	1.2.840.113549.1.9.1
'unstructuredName'	1.2.840.113549.1.9.2
'unstructuredAddress'	1.2.840.113549.1.9.8
'JurisdictionOfIncorporationLocalityName'	1.3.6.1.4.1.311.60.2.1.1
'JurisdictionOfIncorporationStateOrProvinceName'	1.3.6.1.4.1.311.60.2.1.2
'JurisdictionOfIncorporationCountryName'	1.3.6.1.4.1.311.60.2.1.3
'TrademarkOfficeName'	1.3.6.1.4.1.53087.1.2
'TrademarkCountryOrRegionName'	1.3.6.1.4.1.53087.1.3
'TrademarkRegistration'	1.3.6.1.4.1.53087.1.4
'LegalEntityIdentifier'	1.3.6.1.4.1.53087.1.5
'WordMark'	1.3.6.1.4.1.53087.1.6
'MarkType'	1.3.6.1.4.1.53087.1.13
'StatuteCountryName'	1.3.6.1.4.1.53087.3.2
'StatuteStateOrProvinceName'	1.3.6.1.4.1.53087.3.3
'StatuteLocalityName'	1.3.6.1.4.1.53087.3.4
'StatuteCitation'	1.3.6.1.4.1.53087.3.5
'StatuteURL'	1.3.6.1.4.1.53087.3.6