Renew SSL certificate for Domain Controller LDAPS

Renew SSL Certificate for Domain Controller LDAPS

If you have created SSL certificate for LDAP over SSL on Domain Controller thru internal Microsoft Standalone CA as shown in LDAP over SSL for Domain Controller article, you might face the problem in renewing this certificate using MMC/GUI.

When you try to Renew This Certificate With The Same Key using the certificate mmc, you will get the following error:


Enrollment Error
The request contains no certificate template information.




1. From the Domain Controller that you need to renew the certificate, find the certificate thumbprint. Below are the steps for find the certificate thumbprint

a.) Open the Microsoft Management Console (MMC) snap-in for certificates.
b.) In the Console Root window’s left pane, click Certificates (Local Computer).
c.) Expand the Personal folder
d.) Expand the Certificates folder
e.) Double-click on your target certificate.
f.) In the Certificate dialog box, click the Details tab.
g.) Scroll through the list of fields till you find the Thumbprint.
h.) Copy the hexadecimal characters from the box.  For example, the thumbprint “a1 29 53 2e 12 3f 3d 35 53 2c f2 53 26 c2 4d 27 33 b2 6b 3c”.

2. Create cert-renew.inf as shown below and paste the certificate thumbprint you gathered in the previous step for RenewalCert. Make sure you put in open and close quote if the certificate thumbprint have space in between

;—————– cert-renew.inf —————–[Version]Signature=”$Windows NT$”[NewRequest]

Subject = “CN=servername.domain.local” ; replace with the FQDN of the DC
UseExistingKeySet = TRUE
MachineKeySet = TRUE
RenewalCert=”a1 29 53 2e 12 3f 3d 35 53 2c f2 53 26 c2 4d 27 33 b2 6b 3c”


3. Go into cmd prompt, create the certificate request

certreq -new cert-renew.inf cert-renew.req

4. Submit Certificate request to internal stand-alone CA

certreq -submit cert-renew.req

You will notice the RequestID will be provided if the certificate request successfully submitted to internal CA

5. Approve the certificate for the internal CA

6. Back to the Domain Controller that request for for certificate. Retrieve the certifcate

certreq -retrieve RequestID cert-renew.cer

7. Accept the certificate in your machine

certreq -accept cert-renew.cer




Extend Windows Server Partition Size without reformat

Extend Windows Server Partition Size without reformat

There are lot of case we need to addin more hard disk space for the server. Of course you have the option to create it as new partition/drive but it might not work certain application/data that must stick within the existing partition. Basically below are the steps to extend or resize the existing partition for Windows 2003 Server and above

  1. Insert the new harddisk into the server
  2. If currently using RAID1, you have to convert it to RAID5 in the RAID Management software (each brand of server will have different RAID management tool. e.g. HP Array Configuration Utility)
  3. If currently using RAID5, just extend RAID5 with new harddisk using RAID managment software. If might take up to 1 day depending on the size of harddisk and server speed.
  4. Extend the Logical Array with new free capacity in RAID Management software. This will take time as well.
  5. Use DiskPart which is available for Windows 2003 server and above. Run the following command in Dos/cmd prompt
DiskPart Disk Partitioning tool from Microsoft Windows 2003 server and above
List Volumes List the volumes/drive currently configured
Select Volume # Where # is the volume/drive gathered from the previous step
Extend Size=xxxx Where xxxx is the size in MB to grow volume. 1GB is 1024MB. If you use Extend without specifying the size, then it will use all the available free space



If you need perform more complicated hard disk managment task like shink or extend C: drive, you can try Parted Magic which come with GNU2 license.Just burn it into disc or USB drive and then boot it up. Personally I found the hardware (RAID/SCSI controller card) support is much more compare to certain commercial product.