Connecting Android devices to an internal Wireless service. I know, it should of course handle any order, but it doesn't! If the EKU is Client Authentication followed by Smart Card (as supplied by our 3rd party vendor) it works, swap the EKU and not so much! It seems as if the Microsoft CA will allow you to manipulate the order by adding them in the order you want in the Application Policies Extensions, however, when it actually generates the cert it seems to order them by OID value. Clearly it IS possible to have certs in a different order, but I can't figure out how to make our Microsoft CA produce them...

Here is a stupid question for you. Why are you putting a smart card OID in the EKU for a **SOFTWARE** certificate installed on an Android. Why not just create a certificate with only client authentication for use on the Android devices. You really should not assert an application policy on a device certificate that is not really that device. Android <> smartcard Brian

Because we're trying to avoid the prospect of creating multiple certs for different uses. Ordinarily these certs would be loaded onto a smart card. I understand that Android <> Smartcard. The question is whether one can control the order of OID's in a cert, regardless of the reasoning for doing so. Clearly other CA's can do this, can such a thing be done with a Microsoft CA? Or is there no mechanism to control the order?

Is there a way to control the order of Application Policies (EKU) in certificates created from an Enterprise 2008 CA? I have certificates being created based upon a template with two application policies, when I edit the Application Policies Extension it shows as "Client Authentication" followed by "Smart Card Logon", however when the certs are produced the first policy is Smart Card Logon followed by Client Authentication. I need them to be the other way round. Most systems are fine with this, however I'm working with a system that only recognizes the first attribute and cannot create certificates just for use with that one system. We have certificates from a 3rd party vendor with the EKU in the right order that we're trying to replace.

What application are you using that requires the EKU to be in a specific order? I have never run into an application that is unable to correctly parse multiple EKU entries! Brian