objectGUID for DC certificate

[Valid Email]

I understand a Domain Controller certificate that is to be used for
replication requires the objectGUID corresponding to the DC.

1) How do I get the objectGUID of the DC? The output from
enumprop.exe and when I use ADSI Edit and examine the objectGUID for
the DC's entry is different.

2) What is the format of getting that objectGUID into the certificate?
It looks like I need to use otherName structure in the subjectAltName
certificate field. Do I include the hyphens in the string, etc...?

Thanks in advance for any help.

 

[Tim Springston [MSFT]]

Are you asking how to programmatically do the certificate request for a
domain controller certificate?

If so, you may want to post this to the microsoft.public.security.crypto
newsgroup.
--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Ryan Hanisco]

What exactly are you trying to do? Maybe we can help you solve the
underlying problem rather than your specific questions. Also, any
background would be helpful -- Inter/intra site replication? Do you have a
CA? Is it in the same domain?

 

[Valid Email]

Not exactly, for various reasons I have my own code and CA and have
been able to issue DC its own certificate that is usable for a
multiple of services (SmartCard Logon, SSL, etc...), however I would
like to the DC to use my certificate for AD replication and understand
that for this the DC certificate requires its objectGUID to appear in
the subjectAltName field in the form of OtherName. However, to do
this I need further information on the format of objectGUID.

Alternatively, if someone has a DC certificate that is used for AD
replication could they post it here (or email me) along with the
output of:

enumprop.exe /ATTRbjectGUID "LDAP://OU=Domain
Controllers,.....your.DN...."

from that I should be able to figure out what the format needs to be.

Thanks.