Before the description starts please notice that the SMTP based replication of Microsoft ADS doesn't work with TTPs. Microsoft officially commits this problem but doesn't comment the reasons. If you don't use SMTP replication then you can TTPs without any problems except that Microsoft's automatic certificate renewal does not work of course.
There must be at minimum one CDP.
The X.509v3 extension Key Usage must include the options Digital Signature and Key Encipherment.
The X.509v3 extension Extended Key Usage must include Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). This is necessary because domain controllers will be connected as servers and establish connections as clients to other servers.
The X.509v3 extension Subject Alternative Nme must include the globally unique identifier (GUID) of the domain controller and the DNS name of the domain controller. The GUID is a 16 Byte long number which identify the object of the domain controller in the directory (ADS). The OID of the GUID in the othername is 1.3.6.1.4.1.311.25.1.
There must be one extension with the BMP value DomainController inside. Microsoft has an extra extension for this template name with the OID 1.3.6.1.4.1.311.20.2. The extension is referenced by Microsoft as Certificate Template Name.
The X.509v3 extension Basic Constraints should include End Entity as subject (OpenSSL: CA=false) and no limitation for the path length.
The subject of the certificate can be the directory path of the domain controller. This is only optional.
If you want to create such a certficate then you must create the key pair with RSA/Schannel CSP. The most simple way for doing this is to install Microsoft CA services and to issue a certificate request using a form, where you can choose this CSP and generate a key pair and certificate request in PKCS#10 format.
The last thing before we start with the OpenSSL specific stuff, please create a new role for the domain controller certificates to avoid unnecessayr extensions for normal certificates or do you like Apaches which can act as domain controller?
After you read all these complicated issues you understand perhaps why I can only recommend you to use OpenSSL 0.9.8 if you want to issue certificates for domain controllers. The biggest problem is the subject alternative name which can onyl be created in binary format which requires to change the extension configuration file of the used role for every issued certificate to encode the correct GUID and DNS name of the domain controller. Nevertheless you can do it with OpenSSL 0.9.7.
The first important note before you start with OpenSSL 0.9.8 - you cannot compile OpenCA with OpenSSL 0.9.8. You must install OpenCA with an OpenSSL 0.9.7 and then you must change the path of the OpenSSL binary from the 0.9.7 binary to the 0.9.8 binary. We know that this is not really comfortable but the header files changed from 0.9.7 to 0.9.8 in an incompatible way and we only migrate our sources if there is a 0.9.8 stable release.
The standard things like Key Usage, Extended Key Usage, Subject, CDPs and Basic Constraints do not change between the different OpenSSL versions. The certificate template name extension of Microsoft must be copied as binary too but it is like the other standardized extensions a static string.
There must be at minimum one CDP.
The X.509v3 extension Key Usage must include the options Digital Signature.
The X.509v3 extension Extended Key Usage must include Client Authentication (1.3.6.1.5.5.7.3.2) and Smart Card Logon (1.3.6.1.4.1.311.20.2.2).
The X.509v3 extension Subject Alternative Nme must include the universal principal name (UPN) of the user. A UPN is the like account@domain (e.g. john_doe@company.com). It is important to understand that this is no emailaddress. The OID of the UPN is 1.3.6.1.4.1.311.20.2.3. The format of the UPN is UTF-8.
The X.509v3 extension Basic Constraints should include End Entity as subject (OpenSSL: CA=false) and no limitation for the path length.
Please use the patch for OpenSSL which you can find at our ftp server. The patch othername.tgz includes a fix for Microsoft's othername usage. The following documentation only refers to this patched version of OpenSSL.
Now we have to deal with the UPN. This UPN must be placed in the othername of the subject alternative name. If you use the patched option and the othername is supported by the RA configuration then you have to enter 1.3.6.1.4.1.311.20.2.3:UTF8String:account@domain in the value field after you selected otherName. The keyword UTF8String is case-sensitive. If you do all correct then you can now issue a wonderful certificate for smartcard logon.