LDAPS over SSL (LDAPS) for Domain Controller
Each of Domain Controller have Lightweight Directory Access Protocol – LDAP (port 389) open for authentication for 3rd party application/system such as firewall/VPN appliance. The LDAP protocol is insecure because the data is sent in the clear text format. Therefore, we need LDAPS (LDAP over SSL) to encrypt and secure the communication. The default port for LDAPS is 636.
If your Active Directory is installed with Enterprise CA then most likely you will have digital certificate and LDAPS activated for all the domain controller by itself. Below are the steps to request the digital certificate for the domain controller server from Microsoft Stand-alone CA and the LDAPS will be activated automatically.
1. Make sure you have at least one Microsoft Stand-alone CA installed in your organization
2. From the domain controller server that you need the LDAPS, create certificate.inf file as shown in the example below in order to generate the certificate request file
;—————– certificate.inf —————–[Version]Signature=”$Windows NT$[NewRequest]
Subject = “CN=servername.domain.local” ; replace with the FQDN of the Domain Controller [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication ;———————————————– |
3. Create the certificate request file by the following command
certreq -new certificate.inf certificate.req
4. Submit the certificate request file to the Stand-alone CA
certreq -submit certificate.req
The system will prompt you with the option to choose with stand-alone CA you want to submit. Take not on the certificate request id
5. In the Stand-alone Certificate Authority (CA), under “Pending Requests“, right-click on the request ID, select All Tasks – Issue. The certificate will goes into “Issued Certificates” folder.
6. Retrieve the certificate from the domain controller that requesting the certificate
certreq -retrieve <request id> certificate.cer
7. Import the certificate into the Personal store of the Computer Account
8. Test the LDAPS using ldp
9. You can now proceed with LDAP over SSL integration with 3rd party system/application
10. For Windows 2008 Server, you night need to import the certificate into Active Directory Domain Services certificate store
Resources and References:
To renew the SSL certificate created by this post, please go to Renew SSL certificate for Domain Controller LDAPS
http://support.microsoft.com/kb/321051
http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx