Created
March 23, 2024 11:15
-
-
Save alexmags/565c129f40b98f69c78814852ca8230e to your computer and use it in GitHub Desktop.
PowerShell self-signed cert for LDAPs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# In a lab, or a AD domain with non-routable top level domain (.corp, .local etc...) | |
# Creating one self-signed cert usable across multiple domain controllers for encrypted LDAP | |
Import-Module ActiveDirectory | |
$addomain=get-addomain | |
$expirydate = (Get-Date).AddYears(1) | |
# Get all (currently existing) domain controllers to be subject alternative names (avoid cloud kerberos trust object) | |
$ArraySubjectAlternativeNames=(Get-ADComputer -SearchBase $addomain.DomainControllersContainer -filter * | where {$_.name -ne 'AzureADKerberos'}).dnshostname | |
$ArraySubjectAlternativeNames+="ldap.$($addomain.DNSRoot)" # useful as movable DNS alias or for network load balancer | |
# Create cert with domain name as subject and DCs and ldap.fqdn as subject alternative names. | |
# https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate | |
$mycert=New-SelfSignedCertificate -Subject $addomain.DNSRoot -DnsName $ArraySubjectAlternativeNames -CertStoreLocation cert:/LocalMachine/My -NotAfter $expirydate | |
$mycert | Format-list | |
# Export cert WITHOUT private key for import into LDAP clients | |
Export-Certificate -Cert $mycert -FilePath "$env:temp\$($addomain.DNSRoot)-PUBLIC.cer" # this is a text file | |
# Export cert WITH private key for import into other domain controllers. Protect with shared password or lock to specific IDs | |
# https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate | |
Export-PfxCertificate -cert $mycert -filepath "$env:temp\$($addomain.DNSRoot)-PRIVATE.pfx" -ProtectTo $env:username | |
# To import certs on other domain controllers, double click to import. | |
# NOTE: LDAP will use cert in personal store with longest expiry. Server restart to take effect. | |
# Test with ldp.exe, connect with fully qualified domain name (not short NetBIOS name, not IP address) on port 636 and SSL | |
# Or programatically Import private key to other DCs | |
# import-Certificate -CertStoreLocation Cert:\LocalMachine\my -FilePath fqdn-PRIVATE.pfx | |
# Import public key into Trusted CAs store to any server/client that needs to validate the cert as trusted | |
# import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath fqdn-PUBLIC.cer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment