2.3.2 Directory Email Replication Certificate

The Directory Email Replication certificate is defined as an X.509 (as specified in [X509]) certificate with specific extensions and values, as described below.

A Directory Email Replication certificate contains X.509v1 fields, as specified in section 2.3.

A Directory Email Replication certificate also contains the following X.509v3 extensions, as specified in [RFC3280] section 4.2.1.

• Authority Key Identifier

• Subject Key Identifier

• Authority Information Access

• Key Usage

  • Digital Signature, Key Encipherment = (a0)

• Subject Alternative Name

  The Certificate Subject Alternative Name section MUST contain the GUID of the DC object in the directory and the DNS name. For example:

  • Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9

  • < Internet host name of the DC>

• CDP (CRL Distribution Point)

• Enhanced Key Usage

  • Client Authentication (1.3.6.1.5.5.7.3.2)

  • Server Authentication (1.3.6.1.5.5.7.3.1)

• Extended Key Usage

  • Directory Email Replication OID = 1.3.6.1.4.1.311.21.19

A Directory Email Replication certificate also contains the following X.509v3 extensions specific to Microsoft.

• Microsoft-defined X.509v3 extension for Application Policies

• Microsoft-defined X.509v3 extension for certificate template information.<9>