LDAPS certificate process

If you ever need to create a CA signed certificate for active directory, follow this procedure for each domain controller.

#Create a file called request.inf in the c:\temp directory

;—————– request.inf —————–
[Version]
Signature=”$Windows NT$
[NewRequest]

Subject= "CN=yourFQDN, OU=YourCompany, O=YourDepartment, L=YourCity, S=YourState, C=US."
KeySpec = 1 
KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]
Hashalgorithm = sha256
;———————————————–

Then run the following commands:

cd c:\temp

certreq.exe -new .\request.inf youserver.domain.2015.req

#wait for certificate from CA

certreq.exe -Accept .\yourservername_yourdomain_edu-2015-SHA2.cer

#The certreq utility will put this cert in the personal store of the local computer. I open up both the local computer certificate store, as well as the certificate store for “Active Directory Domain Services”. Once both personal stores are open, I simply drag the certificate into the “Active Directory Domain Services” personal store.  Make sure you open up the cert and verify the certificate chain is ok etc.  Active Directory will immediately see the new certificate and start using it if it is expire date is newer than the previous cert. So you don’t have to remove the old cert first.

Update 7/29/2019
If you are copying this certificate over from another domain controller, make sure that you include the private key with the certificate. If needed, export this certificate, include the private key, certificate chain etc. into a .pfx file. Then inport this file into the new DC’s “Active Directory Domain Services” personal store.

Verification

I always use the ldp.exe command installed by default on all DCs to test the AD SSL connection. See the following screenshot:ldp-test

You should immediately connect to your DC using the new certificate. Good luck!

This process has been tested on Active Directory 2008 R2 and Active Directory 2016

About Parker Jardine

Manager of Systems Administration in the Information Technology Higher Education space. I enjoy biking, climbing, hockey, camping, mountaineering, hunting, paragliding, and just being outdoors. You can read my Make Magazine project articles about a diy solar panel and solar systems design in volumes 12 and 14.
This entry was posted in Active Directory, ldaps. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s