LDAPs and AD

Good post from a blog

Well, the blog entry is gone and we recently had to do this again so here are the steps.[1]


Create the .inf file.

Following is an example a ASCII request.inf file that can be used to create the Certificate request file.

;----------------- request.inf ----------------- 


Signature="$Windows NT$ 


Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC 
KeySpec = 1 
KeyLength = 1024 
; Can be 1024, 2048, 4096, 8192, or 16384. 
; Larger key sizes are more secure, but have 
; a greater impact on performance. 
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 


OID= ; this is for Server Authentication 

Note Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject="E=admin@contoso.com, CN=<DC fqdn>, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US."

Create the request file. To do this, type the following command at the command-line prompt, and then press ENTER:

certreq -new request.inf request.req

A new file called Request.req is created. This is the base64-encoded request file.

Submit the CSR#

Submit the request to a Certificate Authority. You can submit the request to a Microsoft Certificate Authority or to a third-party Certificate Authority.

Install The Signed Certificate#

Retrieve the certificate that is issued, and then save the certificate as Certnew.cer in the same folder as the request file. To do this, follow these steps: Create a new file called Certnew.cer. Open the file in Notepad, paste the encoded certificate into the file, and then save the file. Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requestor as base64-encoded text in an e-mail message. Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:
certreq -accept certnew.cer

Certificate Authority#

Be sure you also install the Certificate Authority that that signed your new certificate and any Intermediate Certificates within the Certificate Chain.

Verify the Installation#

Verify that the certificate is installed in the computer's Personal store. To do this, follow these steps:
  • Start Microsoft Management Console (MMC).
  • Add the Certificates snap-in that manages certificates on the local computer.
  • Expand Certificates (Local Computer), expand Personal, and then expand Certificates.
  • A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.
  • Restart the Domain Controller.

Verify LDAPS#

You can use one of the LDAP Browsers to verify the operation of LDAPS.

You may need to know How to Determining the FDN

More Information#

There might be more information for this subject on one of the following:

[#1] http://support.microsoft.com/kb/321051