If you ever need to create a CA signed certificate for active directory, follow this procedure for each domain controller.
#Create a file called request.inf in the c:\temp directory
;—————– request.inf —————– [Version] Signature=”$Windows NT$ [NewRequest] Subject= "CN=yourFQDN, OU=YourCompany, O=YourDepartment, L=YourCity, S=YourState, C=US." KeySpec = 1 KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=188.8.131.52.184.108.40.206.1 ; this is for Server Authentication [RequestAttributes] Hashalgorithm = sha256 ;———————————————–
Then run the following commands:
certreq.exe -new .\request.inf youserver.domain.2015.req
#wait for certificate from CA
certreq.exe -Accept .\yourservername_yourdomain_edu-2015-SHA2.cer
#The certreq utility will put this cert in the personal store of the local computer. I open up both the local computer certificate store, as well as the certificate store for “Active Directory Domain Services”. Once both personal stores are open, I simply drag the certificate into the “Active Directory Domain Services” personal store. Make sure you open up the cert and verify the certificate chain is ok etc. Active Directory will immediately see the new certificate and start using it if it is expire date is newer than the previous cert. So you don’t have to remove the old cert first.
If you are copying this certificate over from another domain controller, make sure that you include the private key with the certificate. If needed, export this certificate, include the private key, certificate chain etc. into a .pfx file. Then inport this file into the new DC’s “Active Directory Domain Services” personal store.
I always use the ldp.exe command installed by default on all DCs to test the AD SSL connection. See the following screenshot:
You should immediately connect to your DC using the new certificate. Good luck!
This process has been tested on Active Directory 2008 R2 and Active Directory 2016