2.3 Certificate Formats

An X.509 certificate (as specified in [X509]) that encapsulates a public key for the purpose of secure communication is a prerequisite for using the DRS Protocol Extensions for SMTP. Each DC participating in directory email replication MUST have a certificate and private key that is available locally, that is unique to that computer, and that has been issued by a common root CA.

This certificate MUST be either a Domain Controller Replication certificate, as specified in section 2.3.1, or a Directory Email Replication certificate, as specified in section 2.3.2.<7>

The following object identifiers (OIDs) specify algorithms that are used for signing and sealing, as specified in PKCS #1 ([RFC8017]) and [SCHNEIER].

 OID RSA MD5 (hash function) "1.2.840.113549.2.5"
 OID SHA256 (hash function) "1.2.840.113549.1.1.11"
 OID RSA RC4 (encryption algorithm) "1.2.840.113549.3.4"
 OID AES128 (encryption algorithm) "2.16.840.1.101.3.4.1.2"

The algorithms corresponding to these OIDs are specified in the following documents:

• RSA MD5 in [RFC1321].

• SHA256 in [SHA256].

• RSA RC4 in [RC4].

• AES128 in [FIPS197].

Both Domain Controller Replication certificates and Directory Email Replication certificates are X.509 certificates that contain the following X.509v1 fields.

• Version

• Serial Number

• Signature Algorithm

• Valid From

• Valid To

• Subject (distinguished name of the DC)

• Issuer

• Public Key