- Create root certificate
- Import root certificate into trusted store of domain controller
- Create client certificate
- Accept and import certificate
- Reload active directory SSL certificate
- Test LDAPS using
ldp.exe
utility - Reference
From the OpenSSL machine (linux), create new private key and root certificate.
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
You should now have a resulting ca.key
and ca.crt
- From the active directory server, open
Manage computer certificates
. - Add the generated
ca.crt
to the certificate pathTrusted Root Certification Authorities\Certificates
. - Done.
From the active directory server:
-
Create a new
request.inf
definition with the following contents - replacingACTIVE_DIRECTORY_FQDN
with the qualified domain name of your active directory server:[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=ACTIVE_DIRECTORY_FQDN" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication
-
Run the following to create a new client certificate request of
client.csr
(note: it's critical this is run from the active directory server to ensure a private key -> certificate association):C:\> certreq -new request.inf client.csr
Back to OpenSSL system:
-
Create
v3ext.txt
containing the following:keyUsage=digitalSignature,keyEncipherment extendedKeyUsage=serverAuth subjectKeyIdentifier=hash
-
Create a certificate
client.crt
from certificate requestclient.csr
and root certificate (with private key):$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -set_serial 01 -out client.crt
-
Verify generated certificate:
$ openssl x509 -in client.crt -text
-
Ensure the following
X509v3 extensions
are all present:X509v3 Key Usage: Digital Signature, Key Encipherment
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Subject Key Identifier
-
From the active directory server with
client.crt
present, run the following:C:\> certreq -accept client.crt
-
Open
Manage computer certificates
, the new certificate should now be present underPersonal\Certificates
. Ensure that:- Certificate has a private key association.
- The "Intended Purposes" is defined as "Server Authentication".
- Certificate name is the FQDN of the active directory server.
Reboot server