alexmags/new-LDAPcert.ps1

## new-LDAPcert.ps1
# In a lab, or a AD domain with non-routable top level domain (.corp, .local etc...)
# Creating one self-signed cert usable across multiple domain controllers for encrypted LDAP

Import-Module ActiveDirectory
$addomain=get-addomain
$expirydate = (Get-Date).AddYears(1)

# Get all (currently existing) domain controllers to be subject alternative names (avoid cloud kerberos trust object)
$ArraySubjectAlternativeNames=(Get-ADComputer -SearchBase $addomain.DomainControllersContainer -filter *  | where {$_.name -ne 'AzureADKerberos'}).dnshostname
$ArraySubjectAlternativeNames+="ldap.$($addomain.DNSRoot)" # useful as movable DNS alias or for network load balancer

# Create cert with domain name as subject and DCs and ldap.fqdn as subject alternative names.
# https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
$mycert=New-SelfSignedCertificate -Subject $addomain.DNSRoot -DnsName $ArraySubjectAlternativeNames -CertStoreLocation cert:/LocalMachine/My -NotAfter $expirydate
$mycert | Format-list

# Export cert WITHOUT private key for import into LDAP clients
Export-Certificate -Cert $mycert -FilePath "$env:temp\$($addomain.DNSRoot)-PUBLIC.cer"  # this is a text file

# Export cert WITH private key for import into other domain controllers. Protect with shared password or lock to specific IDs
# https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
Export-PfxCertificate -cert $mycert -filepath "$env:temp\$($addomain.DNSRoot)-PRIVATE.pfx" -ProtectTo $env:username

# To import certs on other domain controllers, double click to import.
# NOTE: LDAP will use cert in personal store with longest expiry.  Server restart to take effect.
# Test with ldp.exe, connect with fully qualified domain name (not short NetBIOS name, not IP address) on port 636 and SSL
# Or programatically Import private key to other DCs
#  import-Certificate -CertStoreLocation Cert:\LocalMachine\my -FilePath fqdn-PRIVATE.pfx

# Import public key into Trusted CAs store to any server/client that needs to validate the cert as trusted
#  import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath fqdn-PUBLIC.cer
	# In a lab, or a AD domain with non-routable top level domain (.corp, .local etc...)
	# Creating one self-signed cert usable across multiple domain controllers for encrypted LDAP

	Import-Module ActiveDirectory
	$addomain=get-addomain
	$expirydate = (Get-Date).AddYears(1)

	# Get all (currently existing) domain controllers to be subject alternative names (avoid cloud kerberos trust object)
	$ArraySubjectAlternativeNames=(Get-ADComputer -SearchBase $addomain.DomainControllersContainer -filter * \| where {$_.name -ne 'AzureADKerberos'}).dnshostname
	$ArraySubjectAlternativeNames+="ldap.$($addomain.DNSRoot)" # useful as movable DNS alias or for network load balancer

	# Create cert with domain name as subject and DCs and ldap.fqdn as subject alternative names.
	# https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
	$mycert=New-SelfSignedCertificate -Subject $addomain.DNSRoot -DnsName $ArraySubjectAlternativeNames -CertStoreLocation cert:/LocalMachine/My -NotAfter $expirydate
	$mycert \| Format-list

	# Export cert WITHOUT private key for import into LDAP clients
	Export-Certificate -Cert $mycert -FilePath "$env:temp\$($addomain.DNSRoot)-PUBLIC.cer" # this is a text file

	# Export cert WITH private key for import into other domain controllers. Protect with shared password or lock to specific IDs
	# https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
	Export-PfxCertificate -cert $mycert -filepath "$env:temp\$($addomain.DNSRoot)-PRIVATE.pfx" -ProtectTo $env:username

	# To import certs on other domain controllers, double click to import.
	# NOTE: LDAP will use cert in personal store with longest expiry. Server restart to take effect.
	# Test with ldp.exe, connect with fully qualified domain name (not short NetBIOS name, not IP address) on port 636 and SSL
	# Or programatically Import private key to other DCs
	# import-Certificate -CertStoreLocation Cert:\LocalMachine\my -FilePath fqdn-PRIVATE.pfx

	# Import public key into Trusted CAs store to any server/client that needs to validate the cert as trusted
	# import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath fqdn-PUBLIC.cer