How to enable LDAP over SSL using Subject Alternate Names
With multiple Domain Controllers in AD, it makes little sense to hard-code any DC within programming code, applications and user profiles. The main reason being a single point of failure, such as during maintenance windows or if a physical machine unexpectedly dies off. The best way to mediate this is to create a DNS Round Robin for a friendly name, such as LDAP.Domain.com, and list several Domain Controllers as possible end points. The trick however, you must configure the Domain Controllers with a certificate from either your internal PKI or a 3rd party CA, such as VeriSign. Installing this cert is a requirement to talk SSL\TLS LDAP using subject alternate names.
Here are two KB articles that outline the process:
- How to add a Subject Alternate Name to a secure LDAP certificate
- How to enable LDAP over SSL with a third-party Certificate Authority
There are 4 key steps to follow:
- Create the INF file, which determines which attributes to use
- Use the INF to create a request file
- Submit the request file to be signed by the Certificate Authority
- Accept and install the new certificate in the local computer store
- Create the INF file. Save the blue text to a file and name it certnew.inf
==========================================================================================
-
From the same directory you saved the certnew.inf file issue this command (On the DC). :
Certreq -new certnew.inf certnew.req
-
Issue this command:
Certreq -submit certnew.req certnew.cer
Note: Certreq.exe will prompt you for which CA to use if you have multiple CA’s in your environment.
-
Issue this command:
Certreq -accept certnew.cerNote: This command copies the private key with the certificate and automatically places it in the private computer store. If you try to use the Certificate Authority Web enrollment form, and do not select store in the local computer store, it will place the cert in the current user cert store on the DC. This breaks the SSL\SAN capability.
You can and should delete any other certs in the DC computer store, as they will cause problems due to caching of certs within SCHANNEL as there is no way to know which cert the LDAP client binds to.
Best of Luck,
Ed McKinzie
Do I have to create a request for each DC and have separate cert?
Hello, one question: Does a cert build from web server template replace a cert build from domain controller template? if I should delete every other cert in my local DC’s store, how can I use Web Server template? As this cert cant do Client Authentication.
You can only use a DC certificate for a domain controller. If you are wanting to do some type off client\server auth, you must use a Mutual Authentication server certificate that has client\server enabled on the Enhanced key usage.