2.3.1 Domain Controller Replication Certificate

The Domain Controller Replication certificate is defined as an X.509 (as specified in [X509]) certificate with specific extensions and values, as described below.

A Domain Controller Replication certificate contains X.509v1 fields, as specified in section 2.3.

A Domain Controller Replication certificate also contains the following X.509v3 extensions identified in [RFC3280] section 4.2.1.

• Authority Key Identifier

• Subject Key Identifier

• Authority Information Access

• Key Usage (Digital Signature, Key Encipherment [a0])

• Subject Alternative Name

  The Certificate Subject Alternative Name section MUST contain the globally unique identifier (GUID), as defined in [MS-DTYP] section 2.3.4, of the DC object in the directory and the Domain Name System (DNS) name. For example:

  • Other Name: 1.3.6.1.4.1.311.25.1 (ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9)

  • <Internet host name of the domain controller>

• CDP (CRL Distribution Point)

• Enhanced Key Usage

  • Client Authentication (1.3.6.1.5.5.7.3.2)

  • Server Authentication (1.3.6.1.5.5.7.3.1)

A Domain Controller Replication certificate also contains the following X.509v3 extensions specific to Microsoft.

• Microsoft-defined X.509v3 extension for certificate template name.<8>