To perform LDAPS with Domain Controllers, you must install a certificate into the personal store of the computer account.
If you are using Windows Enterprise CAs, it is no problem, as a dedicated template used to exist for a while.
For 3rd-party CAs, until Windows 2003, the requirements the certificate must fulfill were outlined in KB 321051.
The requirements for WIndows 2008 R2 domain controllers were listed in that blog entry.
However, if you are not familiar with PKI and/or PKI tools you may find this article a bit hard to read. Here is the step-by-step procedure:
- create a mydc-req.inf with the contents attached to this post on the Domain Controller you want to have a certificate for
- issue a certreq -new mydc-req.inf mydc-req.req
- send the mydc-req.req for signing
- save the answer as mydc.crt (you mentioned you wanted a PKCS#10)
- Do not forget to add any public key of any CA from the signing chain into the 3rd party CA store of the local computer
- issue a certreq -accept mydc.crt
Some notes:
- If you created the request with certreq, you must accept it by using certreq; if you use another tool, use that tool to finish the certification process (e.g. mmc snap-in)
- This is a certificate known as KDC authentication, it deviates from the regular LDAPS Win2003, but allows more
- LDAPS (that’s the subject part)
- KDC signing with reference to the domain from the calling client, not a particular Domain Controllrer (that’s the SAN -Subject Alternate Name- part)
- use of smart card hosted certificate for the clients to access the LDAPS/KDC support
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=mydc.mydomain.myforest.dom" ; replace with the FQDN of the DC for LDAPS KeySpec = 1 KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. ; 2048 = ANSSI recommendation until 2020 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication OID=1.3.6.1.5.5.7.3.2 ; this is for Client Authentication OID=1.3.6.1.5.2.3.5 ; this is for KDC Authentication OID=1.3.6.1.4.1.311.20.2.2 ; this is for Smart Card Logon ; For Windows 2008 and higher only [Extensions] <span id="line-31" class="anchor"></span>2.5.29.17 = "{text}" <span id="line-32" class="anchor"></span>_continue_ = "dns=mydomain&" <span id="line-33" class="anchor"></span>_continue_ = "dns=mydomain.myforest.dom&" ; For Windows 2003 only --- [RequestAttributes] SAN="dns=mydomain.myforest.dom" SAN="dns=mydomain" ; NetBIOS Domain Name |
Beautiful