{"id":1442,"date":"2017-09-16T17:57:01","date_gmt":"2017-09-16T16:57:01","guid":{"rendered":"http:\/\/www.michaelm.info\/blog\/?p=1442"},"modified":"2017-09-16T18:35:09","modified_gmt":"2017-09-16T17:35:09","slug":"enabling-ldaps-on-domain-controllers-using-3rd-party-certificates","status":"publish","type":"post","link":"http:\/\/www.michaelm.info\/blog\/?p=1442","title":{"rendered":"Enabling LDAPS on domain controllers using 3rd party certificates"},"content":{"rendered":"

Enabling LDAPS (i.e LDAPS via SSL\/TLS on port 636 or LDAPS via starttls on port 389) on active directory controllers requires a valid certificate to be added to each domain controller. Overall this process is reasonably documented, for example at\u00a0How to enable LDAP over SSL with a third-party certification authority<\/a>\u00a0and\u00a0Event ID 1220 \u2014 LDAP over SSL<\/a>\u00a0and LDAP over SSL (LDAPS) Certificate<\/a>.<\/p>\n

So the basic steps are generate a keypair, create a CSR, submit the CSR, obtain a cert and import a certificate into the AD DS personal store. Pretty usual process for certificates.<\/p>\n

The missing bit of information is what to do when using OpenSSL to generate the key-pair and CSR. The certificate provided by the CA is likely to be in text .crt\/.cer format (i.e. contains\u00a0—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–). To import into the AD DS personal store we need to use a .pfx which includes the private key, the certificate and CA cert.<\/p>\n

To create a .pfx we can do something like (all on one line…):<\/p>\n

openssl pkcs12 -export -out servername.pfx -inkey servername-<\/code> key.pem -in servername-crt.pem -certfile \/path\/to\/rootCAcertificate.pem<\/code><\/pre>\n
We then transfer the .pfx file to the domain controller in question and follow the above documents’ directions.<\/p>\n","protected":false},"excerpt":{"rendered":"
Enabling LDAPS (i.e LDAPS via SSL\/TLS on port 636 or LDAPS via starttls on port 389) on active directory controllers requires a valid certificate to be added to each domain controller. Overall this process is reasonably documented, for example at\u00a0How to enable LDAP over SSL with a third-party certification authority\u00a0and\u00a0Event ID 1220 \u2014 LDAP over […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[243,247,140,246],"class_list":["post-1442","post","type-post","status-publish","format-standard","hentry","category-technical","tag-activedirectory","tag-ldaps","tag-openssl","tag-pfx"],"_links":{"self":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1442"}],"version-history":[{"count":5,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1442\/revisions"}],"predecessor-version":[{"id":1447,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1442\/revisions\/1447"}],"wp:attachment":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1442"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}