SSL Certificate for LDAPS

            Converting CRT to PFX


            openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt


            Installing Certificate to Domain Controller server


            1. Run -> mmc
            2. File -> Add-Snap In -> Certificates -> Computer account - Local Computer -> OK
            3. Personal -> Certificates
            4. Action -> All tasks -> Import


            Verify new certificate


            openssl s_client -showcerts -connect 2>/dev/null | openssl x509 -noout -text | grep "Signature Algorithm\|DNS:\|Not Before\|Not After\|

            Step 1: Create Certificate Signing Request

            ;----------------- request.inf -----------------
            Signature="$Windows NT$
            Subject = ",, OU=Information technology, O=Organization name, L=Atlanta, S=Georgia, C=US"
            KeySpec = 1
            KeyLength = 2048
            ; Can be 1024, 2048, 4096, 8192, or 16384.
            ; Larger key sizes are more secure, but have
            ; a greater impact on performance.
            Exportable = TRUE
            MachineKeySet = TRUE
            SMIME = False
            PrivateKeyArchive = FALSE
            UserProtected = FALSE
            UseExistingKeySet = FALSE
            ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
            ProviderType = 12
            RequestType = PKCS10
            KeyUsage = 0xa0
            OID= ; this is for Server Authentication


            • The first step is to include the FQDN of the LDAP server. Click the Start button and right-click "properties." It is listed under "Computer Name" and should include the domain name.
            • Set the Key length to at least 2048, because some certificate providers will not allow it to be lower.
            • E=email address; OU=Organizational Unit; O=Organization(name); L=Locality(city); S=State or province; C=Country or region. Most providers will require at least all of these values.
            • It is absolutely critical that there be a space after each comma.
            • Save the file as "request.inf"

            Step 2: Encode the Request File

            certreq -new request.inf request.req


            • Enter the command above at a command prompt.
            • This will generate a new file called request.req in the same directory as your .inf file.

            Step 3: Request Certificate from Certificate Authority

            • Or you can get a test/trial certificate from a trusted certificate authority. This certificate will expire, but we aren't interested in using it to verify identity, only for encryption.
            • Go to and click the "Try" button next to Free Trial on the left hand side.
            • Choose either VeriSign SSL Test or Trial Certificate. There is less information to fill out for the Test certificate.
            • Once you have filled out all the information necessary, VeriSign will email you the certificate. Copy the text and save it as certnew.cer.


            Step 4: Import the Certificate

            certreq -accept certnew.cer


            • Enter the following command at the command prompt:


            • If the certificate cannot be installed via the command line, certmgr.msc can be used to install the trusted root and intermediate certificates.


            Method 2: Microsoft Internet Information Services (IIS)

            STEP 1: Create Self-Signed Certificate

            • Open Internet Information Services (IIS) on the Domain Controller.

            • Click the server name in the left pane.

            • Double-click on Server Certificates in the center pane.


            • Click Create Self-Signed Certificate... in the Actions pane.


            • Create a friendly name for the self-signed certificate. It can be anything you want. 




            Updated: 26 Feb 2019 02:25 AM
            Help us to make this article better
            0 0