2.3.2 Directory Email Replication Certificate
The Directory Email Replication certificate is defined as an X.509 (as specified in [X509]) certificate with specific extensions and values, as described below.
A Directory Email Replication certificate contains X.509v1 fields, as specified in section 2.3.
A Directory Email Replication certificate also contains the following X.509v3 extensions, as specified in [RFC3280] section 4.2.1.
Authority Key Identifier
Subject Key Identifier
Authority Information Access
Key Usage
Digital Signature, Key Encipherment = (a0)
Subject Alternative Name
The Certificate Subject Alternative Name section MUST contain the GUID of the DC object in the directory and the DNS name. For example:
Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9
< Internet host name of the DC>
CDP (CRL Distribution Point)
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
Extended Key Usage
Directory Email Replication OID = 1.3.6.1.4.1.311.21.19
A Directory Email Replication certificate also contains the following X.509v3 extensions specific to Microsoft.
Microsoft-defined X.509v3 extension for Application Policies
Microsoft-defined X.509v3 extension for certificate template information.<9>