Additional OID in subjectaltname?

Hello,

how should I do to get a msADGUID OID 1.3.6.1.4.1.311.25.1 entry in subjectaltname ?
Also would probably need to add a CRL field.

From what I read I could write my own CSR, can I just reuse the one certbot currently uses and add requested fields ?

I'm trying to reproduce Samba AD Smart Card Login - SambaWiki
but using LetsEncrypt instead of local CA...

1 Like

That’s not supported. Let’s Encrypt only issues certificates containing SubjectAlternativeNames for DNS names (and potentially IP addresses in the future).

If SMTP replication is used, the certificate Subject Alternative Name section must also contain the globally unique identifier (GUID) of the domain controller object in the directory. For example:
Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9 DNS

From Requirements for domain controller - Windows Server | Microsoft Learn

That means you won’t be able to use SMTP replication with Let’s Encrypt. If that’s a feature you need, you’ll have to look elsewhere.

7 Likes

If OP is using SMTP based AD replication in 2022, not being able to get a Let's Encrypt cert is the least of their problems.

5 Likes

Thank you for your reply.

I'm not interested in SMTP replication, just smartcard logon and the domain controller is a Samba one anyway.

1 Like

How can you use an LE cert for that?

2 Likes

I'm not very familiar with Active Directory, but smartcards (in short) can store a private key which can be used with a certificate in various protocols. TLS client certs with private keys on smartcards are often used for things like employee VPN logins. One of the reasons the ACME protocol takes a CSR is for interoperability with other systems (like smartcard software) which can produce a CSR for the private key on the device.

4 Likes

So each "smartcard" device would need its' own private key [and LE cert]?

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.