diff --git a/cmd/ceremony/cert.go b/cmd/ceremony/cert.go
index 7f3893593e2..0fcf6ce1f27 100644
--- a/cmd/ceremony/cert.go
+++ b/cmd/ceremony/cert.go
@@ -318,11 +318,17 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	}
 
 	for _, policyConfig := range profile.Policies {
-		oid, err := parseOID(policyConfig.OID)
+		asnOID, err := parseOID(policyConfig.OID)
 		if err != nil {
 			return nil, err
 		}
-		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, oid)
+		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, asnOID)
+
+		x509OID, err := x509.ParseOID(policyConfig.OID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %s as OID: %w", policyConfig.OID, err)
+		}
+		cert.Policies = append(cert.Policies, x509OID)
 	}
 
 	return cert, nil
diff --git a/cmd/ceremony/cert_test.go b/cmd/ceremony/cert_test.go
index 95a2b33755f..688c683812e 100644
--- a/cmd/ceremony/cert_test.go
+++ b/cmd/ceremony/cert_test.go
@@ -127,6 +127,7 @@ func TestMakeTemplateRoot(t *testing.T) {
 	test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
 	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
 	test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
+	test.AssertEquals(t, len(cert.Policies), 2)
 	test.AssertEquals(t, len(cert.ExtKeyUsage), 0)
 
 	cert, err = makeTemplate(randReader, profile, pubKey, nil, intermediateCert)
diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go
index 137b05767e2..e190ec626a8 100644
--- a/cmd/cert-checker/main_test.go
+++ b/cmd/cert-checker/main_test.go
@@ -18,7 +18,6 @@ import (
 	mrand "math/rand/v2"
 	"os"
 	"slices"
-	"sort"
 	"strings"
 	"sync"
 	"testing"
@@ -585,6 +584,9 @@ func TestIgnoredLint(t *testing.T) {
 	checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, blog.NewMock())
 	serial := big.NewInt(1337)
 
+	x509OID, err := x509.OIDFromInts([]uint64{1, 2, 3})
+	test.AssertNotError(t, err, "failed to create x509.OID")
+
 	template := &x509.Certificate{
 		Subject: pkix.Name{
 			CommonName: "CPU's Cool CA",
@@ -597,6 +599,7 @@ func TestIgnoredLint(t *testing.T) {
 		PolicyIdentifiers: []asn1.ObjectIdentifier{
 			{1, 2, 3},
 		},
+		Policies:              []x509.OID{x509OID},
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		IssuingCertificateURL: []string{"http://aia.example.org"},
@@ -639,12 +642,12 @@ func TestIgnoredLint(t *testing.T) {
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
-	sort.Strings(expectedProblems)
+	slices.Sort(expectedProblems)
 
 	// Check the certificate with a nil ignore map. This should return the
 	// expected zlint problems.
 	_, problems := checker.checkCert(context.Background(), cert, nil)
-	sort.Strings(problems)
+	slices.Sort(problems)
 	test.AssertDeepEquals(t, problems, expectedProblems)
 
 	// Check the certificate again with an ignore map that excludes the affected
diff --git a/issuance/cert.go b/issuance/cert.go
index 0c97b1b84c5..0884b3eb6bb 100644
--- a/issuance/cert.go
+++ b/issuance/cert.go
@@ -192,6 +192,17 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
 	return nil
 }
 
+// Baseline Requirements, Section 7.1.6.1: domain-validated
+var domainValidatedASN1OID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}
+var domainValidatedOID = func() x509.OID {
+	x509OID, err := x509.OIDFromInts([]uint64{2, 23, 140, 1, 2, 1})
+	if err != nil {
+		// This should never happen, as the OID is hardcoded.
+		panic(fmt.Errorf("failed to create OID using ints %v: %s", x509OID, err))
+	}
+	return x509OID
+}()
+
 func (i *Issuer) generateTemplate() *x509.Certificate {
 	template := &x509.Certificate{
 		SignatureAlgorithm:    i.sigAlg,
@@ -199,7 +210,8 @@ func (i *Issuer) generateTemplate() *x509.Certificate {
 		IssuingCertificateURL: []string{i.issuerURL},
 		BasicConstraintsValid: true,
 		// Baseline Requirements, Section 7.1.6.1: domain-validated
-		PolicyIdentifiers: []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
+		PolicyIdentifiers: []asn1.ObjectIdentifier{domainValidatedASN1OID},
+		Policies:          []x509.OID{domainValidatedOID},
 	}
 
 	// TODO(#7294): Use i.crlURLBase and a shard calculation to create a
diff --git a/issuance/cert_test.go b/issuance/cert_test.go
index 80f8c5d4674..d5824a73aeb 100644
--- a/issuance/cert_test.go
+++ b/issuance/cert_test.go
@@ -321,7 +321,8 @@ func TestGenerateTemplate(t *testing.T) {
 		IssuingCertificateURL: []string{"http://issuer"},
 		OCSPServer:            []string{"http://ocsp"},
 		CRLDistributionPoints: nil,
-		PolicyIdentifiers:     []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
+		PolicyIdentifiers:     []asn1.ObjectIdentifier{domainValidatedASN1OID},
+		Policies:              []x509.OID{domainValidatedOID},
 	}
 
 	test.AssertDeepEquals(t, actual, expected)
diff --git a/linter/linter.go b/linter/linter.go
index e9bf33b85a2..249e5ab91f3 100644
--- a/linter/linter.go
+++ b/linter/linter.go
@@ -195,6 +195,7 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		PermittedIPRanges:           realIssuer.PermittedIPRanges,
 		PermittedURIDomains:         realIssuer.PermittedURIDomains,
 		PolicyIdentifiers:           realIssuer.PolicyIdentifiers,
+		Policies:                    realIssuer.Policies,
 		SerialNumber:                realIssuer.SerialNumber,
 		Subject:                     realIssuer.Subject,
 		SubjectKeyId:                realIssuer.SubjectKeyId,