Values for the EKU field are defined in a number of different RFCs.
Some examples of extended key usages include: Another important part of validating a certificate is ensuring that it chains to a trusted root CA.
Key usage can be specified in either the "Key Usage" or "Extended Key Usage" attribute based on the validation requirements of the application.
This validation is what prevents any non-CA certificate from acting as a certification authority and issuing certificates.
By default, an Active Directory Certificate Services (ADCS) enterprise CA will publish its certificate to the Active Directory configuration partition which is automatically replicated to all domain controllers in the forest.
This provides site awareness and resiliency, however this path is best suited for internal use only since its path is likely inaccessible to external clients and can reveal information about your forest.
Another example of this is when you receive a digitally signed e-mail; the e-mail signature is only valid if the sender's e-mail matches the e-mail address listed on the certificate (under RFC822 Name).
In the initial two versions of the X.509 standard the only way to assert an identity was to use the "Subject" field of the certificate.