Microsoft Active Directory is a great repository of user data. When integrated with other products it need to exchange data in a secure way. Here are some steps to generate the SSL certificates needed for secure data exchange.
Generate SSL request file
- Generate request.inf file with appropriate information
- Copy request.inf file to domain controller to generate request
- Generate request file. Ex: certreq -new request.inf request.req
- Submit the request.req file to your third party CA to generate the SSL certificate
request.inf example
;—————– request.inf —————–
[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “CN=server.domain.com”
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;———————————————–
Import SSL certificate to Domain Controller
- Receive SSL certificate from third party CA
- Copy *.cer file to domain controller
- Import certificate. Ex: certreq -accept certfile.cer
Validate SSL certificate was installed correctly
- Open a new MMC console on the domain controller you installed the new SSL certificate
- Add Certificate snap-in
- Expand Certificates (Local Computer)
- Expand Personal
- Expand Certificates
- Validate that your certificate properties displays Server Authentication in the certificate properties.
- Restart the Domain controller
Verifying SSL Connection to Active Directory
After the SSL certificate is installed you can validate the connection.
- Start Active Directory Administration Tool (ldp.exe)
- Open a new connection to the domain controller with the certificate. Ex: Connection Menu>Connect
- Type the name of the DC with the SSL certificate.
- Type the port number. Ex: 636
- Click OK.
- The information should appear in the right pane indicating a successful connection.
Microsoft Articles