Windows Domain Controller Certificate template for LDAPS, Strong KDC, etc.


To perform LDAPS with Domain Controllers, you must install a certificate into the personal store of the computer account.
If you are using Windows Enterprise CAs, it is no problem, as a dedicated template used to exist for a while.
For 3rd-party CAs, until Windows 2003, the requirements the certificate must fulfill were outlined in KB 321051.
The requirements for WIndows 2008 R2 domain controllers were listed in that blog entry.

However, if you are not familiar with PKI and/or PKI tools you may find this article a bit hard to read. Here is the step-by-step procedure:

  1. create a mydc-req.inf with the contents attached to this post on the Domain Controller you want to have a certificate for
  2.  issue a certreq -new mydc-req.inf mydc-req.req
  3. send the mydc-req.req for signing
  4. save the answer as mydc.crt (you mentioned you wanted a PKCS#10)
  5. Do not forget to add any public key of any CA from the signing chain into the 3rd party CA store of the local computer
  6. issue a certreq -accept mydc.crt

Some notes:

  • If you created the request with certreq, you must accept it by using certreq; if you use another tool, use that tool to finish the certification process (e.g. mmc snap-in)
  • This is a certificate known as KDC authentication, it deviates from the regular LDAPS Win2003, but allows more
    • LDAPS (that’s the subject part)
    • KDC signing with reference to the domain from the calling client, not a particular Domain Controllrer (that’s the SAN -Subject Alternate Name- part)
    • use of smart card hosted certificate for the clients to access the LDAPS/KDC support

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.