If you ever need to create a CA signed certificate for active directory, follow this procedure for each domain controller.
#Create a file called request.inf in the c:\temp directory
;—————– request.inf —————– [Version] Signature=”$Windows NT$ [NewRequest] Subject= "CN=yourFQDN, OU=YourCompany, O=YourDepartment, L=YourCity, S=YourState, C=US." KeySpec = 1 KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=18.104.22.168.22.214.171.124.1 ; this is for Server Authentication [RequestAttributes] Hashalgorithm = sha256 ;———————————————–
Then run the following commands:
certreq.exe -new .\request.inf youserver.domain.2015.req
#wait for certificate from CA
certreq.exe -Accept .\yourservername_yourdomain_edu-2015-SHA2.cer
#The certreq utility will put this cert in the personal store of the local computer. I open up both the local computer certificate store, as well as the certificate store for “Active Directory Domain Services”. Once both personal stores are open, I simply drag the certificate into the “Active Directory Domain Services” personal store. Make sure you open up the cert and verify the certificate chain is ok etc. Active Directory will immediately see the new certificate and start using it if it is expire date is newer than the previous cert. So you don’t have to remove the old cert first.
This process has been tested on Active Directory 2008 R2