SSL Certificate for LDAPS

SSL Certificate for LDAPS

Converting CRT to PFX

 

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 

Installing Certificate to Domain Controller server

 

1. Run -> mmc
2. File -> Add-Snap In -> Certificates -> Computer account - Local Computer -> OK
3. Personal -> Certificates
4. Action -> All tasks -> Import

 

Verify new certificate

 

openssl s_client -showcerts -connect directory.domain.com:636 2>/dev/null | openssl x509 -noout -text | grep "Signature Algorithm\|DNS:\|Not Before\|Not After\|
Issuer:\|Subject:"



Step 1: Create Certificate Signing Request

;----------------- request.inf -----------------
 
[Version]
 
Signature="$Windows NT$
 
[NewRequest]
 
Subject = "E=john.doe@domain.com, CN=directory.teknas.com, OU=Information technology, O=Organization name, L=Atlanta, S=Georgia, C=US"
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
 
[EnhancedKeyUsageExtension]
 
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
 
;-----------------------------------------------

 

  • The first step is to include the FQDN of the LDAP server. Click the Start button and right-click "properties." It is listed under "Computer Name" and should include the domain name.
  • Set the Key length to at least 2048, because some certificate providers will not allow it to be lower.
  • E=email address; OU=Organizational Unit; O=Organization(name); L=Locality(city); S=State or province; C=Country or region. Most providers will require at least all of these values.
  • It is absolutely critical that there be a space after each comma.
  • Save the file as "request.inf"

Step 2: Encode the Request File

certreq -new request.inf request.req

 

  • Enter the command above at a command prompt.
  • This will generate a new file called request.req in the same directory as your .inf file.

Step 3: Request Certificate from Certificate Authority

  • Or you can get a test/trial certificate from a trusted certificate authority. This certificate will expire, but we aren't interested in using it to verify identity, only for encryption.
  • Go to Verisign.com and click the "Try" button next to Free Trial on the left hand side.
  • Choose either VeriSign SSL Test or Trial Certificate. There is less information to fill out for the Test certificate.
  • Once you have filled out all the information necessary, VeriSign will email you the certificate. Copy the text and save it as certnew.cer.

 

Step 4: Import the Certificate

certreq -accept certnew.cer

 

  • Enter the following command at the command prompt:

Notes:

  • If the certificate cannot be installed via the command line, certmgr.msc can be used to install the trusted root and intermediate certificates.

 

Method 2: Microsoft Internet Information Services (IIS)



STEP 1: Create Self-Signed Certificate

  • Open Internet Information Services (IIS) on the Domain Controller.

  • Click the server name in the left pane.

  • Double-click on Server Certificates in the center pane.

 

  • Click Create Self-Signed Certificate... in the Actions pane.

 

  • Create a friendly name for the self-signed certificate. It can be anything you want.