67 is incremental progress toward this goal. It covers the entries / oids we need to be able to stick in the certificate policy extension. Additional work is required to support the extended key usage OIDs but these aren't strictly necessary for the platform identity cert so a new issue would probably be appropriate.
Add the x509 v3 extensions (and whatever else) required to create certs for our platform identity certificates.