[Good post from a blog|http://melkeyser-it.blogspot.com/2009/09/ldaps-ldap-over-ssl-on-windows-server.html]

Well, the blog entry is gone and we recently had to do this again so here are the steps.[1]


!! request.inf
Create the .inf file. 

Following is an [example] a [ASCII] request.inf file that can be used to create the [Certificate] request file.
{{{
;----------------- request.inf ----------------- 

[Version] 

Signature="$Windows NT$ 

[NewRequest]

Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC 
KeySpec = 1 
KeyLength = 1024 
; Can be 1024, 2048, 4096, 8192, or 16384. 
; Larger key sizes are more secure, but have 
; a greater impact on performance. 
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 

[EnhancedKeyUsageExtension] 

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication 
}}}

Note Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. 
For example: Subject="E=admin@contoso.com, CN=<DC fqdn>, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US."

Create the request file. To do this, type the following command at the [command-line] prompt, and then press ENTER:
{{{
certreq -new request.inf request.req
}}}

A new file called Request.req is created. This is the base64-encoded request file.

!! Submit the [CSR]
Submit the request to a [Certificate Authority]. You can submit the request to a [Microsoft] [Certificate Authority] or to a third-party [Certificate Authority].

!! Install The Signed [Certificate]
Retrieve the [certificate] that is issued, and then save the [certificate] as Certnew.cer in the same folder as the request file. To do this, follow these steps:
Create a new file called Certnew.cer.
Open the file in Notepad, paste the encoded [certificate] into the file, and then save the file.
Note The saved certificate must be [encoded] as [base64]. Some third-party CAs return the issued certificate to the requestor as [base64]-encoded text in an e-mail message.
Accept the issued [certificate]. To do this, type the following command at the command prompt, and then press ENTER:
{{{
certreq -accept certnew.cer
}}}

!! [Certificate Authority]
Be sure you also install the [Certificate Authority] that that signed your new [certificate] and any [Intermediate Certificates] within the [Certificate Chain].

!! Verify the Installation
Verify that the [certificate] is installed in the computer's Personal store. To do this, follow these steps:
* Start [Microsoft Management Console] ([MMC]).
* Add the [Certificates] snap-in that manages certificates on the local computer.
* Expand [Certificates] (Local Computer), expand Personal, and then expand [Certificates].
* A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.
* Restart the [Domain Controller].

!! Verify [LDAPS]
You can use one of the [LDAP Browsers] to verify the operation of [LDAPS].

You may need to know How to [Determining the FDN]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]


----
[#1] [http://support.microsoft.com/kb/321051|http://support.microsoft.com/kb/321051|target='_blank']