Securolytics

            SSL Certificate for LDAPS

            Converting CRT to PFX

             

            openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

             

            Installing Certificate to Domain Controller server

             

            1. Run -> mmc
            2. File -> Add-Snap In -> Certificates -> Computer account - Local Computer -> OK
            3. Personal -> Certificates
            4. Action -> All tasks -> Import

             

            Verify new certificate

             

            openssl s_client -showcerts -connect directory.domain.com:636 2>/dev/null | openssl x509 -noout -text | grep "Signature Algorithm\|DNS:\|Not Before\|Not After\|
            Issuer:\|Subject:"



            Step 1: Create Certificate Signing Request

            ;----------------- request.inf -----------------
             
            [Version]
             
            Signature="$Windows NT$
             
            [NewRequest]
             
            Subject = "E=john.doe@domain.com, CN=directory.teknas.com, OU=Information technology, O=Organization name, L=Atlanta, S=Georgia, C=US"
            KeySpec = 1
            KeyLength = 2048
            ; Can be 1024, 2048, 4096, 8192, or 16384.
            ; Larger key sizes are more secure, but have
            ; a greater impact on performance.
            Exportable = TRUE
            MachineKeySet = TRUE
            SMIME = False
            PrivateKeyArchive = FALSE
            UserProtected = FALSE
            UseExistingKeySet = FALSE
            ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
            ProviderType = 12
            RequestType = PKCS10
            KeyUsage = 0xa0
             
            [EnhancedKeyUsageExtension]
             
            OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
             
            ;-----------------------------------------------

             

            • The first step is to include the FQDN of the LDAP server. Click the Start button and right-click "properties." It is listed under "Computer Name" and should include the domain name.
            • Set the Key length to at least 2048, because some certificate providers will not allow it to be lower.
            • E=email address; OU=Organizational Unit; O=Organization(name); L=Locality(city); S=State or province; C=Country or region. Most providers will require at least all of these values.
            • It is absolutely critical that there be a space after each comma.
            • Save the file as "request.inf"

            Step 2: Encode the Request File

            certreq -new request.inf request.req

             

            • Enter the command above at a command prompt.
            • This will generate a new file called request.req in the same directory as your .inf file.

            Step 3: Request Certificate from Certificate Authority

            • Or you can get a test/trial certificate from a trusted certificate authority. This certificate will expire, but we aren't interested in using it to verify identity, only for encryption.
            • Go to Verisign.com and click the "Try" button next to Free Trial on the left hand side.
            • Choose either VeriSign SSL Test or Trial Certificate. There is less information to fill out for the Test certificate.
            • Once you have filled out all the information necessary, VeriSign will email you the certificate. Copy the text and save it as certnew.cer.

             

            Step 4: Import the Certificate

            certreq -accept certnew.cer

             

            • Enter the following command at the command prompt:

            Notes:

            • If the certificate cannot be installed via the command line, certmgr.msc can be used to install the trusted root and intermediate certificates.

             

            Method 2: Microsoft Internet Information Services (IIS)



            STEP 1: Create Self-Signed Certificate

            • Open Internet Information Services (IIS) on the Domain Controller.

            • Click the server name in the left pane.

            • Double-click on Server Certificates in the center pane.

             

            • Click Create Self-Signed Certificate... in the Actions pane.

             

            • Create a friendly name for the self-signed certificate. It can be anything you want. 

             

             

             

            Updated: 26 Feb 2019 02:25 AM
            Helpful?  
            Help us to make this article better
            0 0