![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 34%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hello Federico
To manually add the OID 1.3.6.1.4.1.311.25.2 and the binary SID of a device account to a certificate request, you’ll need to extract the SID from Active Directory and format it correctly in the request file.
To proceed, you can retrieve the SID of the printer's AD account using PowerShell:
- Get-ADComputer -Identity "PrinterName" | Select-Object SID
Once you have the string SID, you'll need to convert it to binary format. This can be done using .NET interop in PowerShell or tools like Lord of the SID. Then, include the binary SID in your certificate request using an INF file with the otherName field under the Subject Alternative Name extension.
Here’s a sample snippet:
[Extensions]
2.5.29.17 = "{text}"
continue = "otherName = 1.3.6.1.4.1.311.25.2;UTF8:<binary SID in hex>"
--
After preparing the INF file, use certreq -new to generate the request and submit it to your internal CA. If this answer helps resolve your issue, feel free to click “Accept Answer” so others can benefit too 😊.
Harry.