Generate SSL Certificates for Active Directory Domain Controllers

by

Microsoft Active Directory is a great repository of user data. When integrated with other products it need to exchange data in a secure way. Here are some steps to generate the SSL certificates needed for secure data exchange.

Generate SSL request file

  1. Generate request.inf file with appropriate information
  2. Copy request.inf file to domain controller to generate request
  3. Generate request file. Ex: certreq -new request.inf  request.req
  4. Submit the request.req file to your third party CA to generate the SSL certificate

request.inf example

;—————– request.inf —————–

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=server.domain.com” 

 KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;———————————————–

Import SSL certificate to Domain Controller

  1. Receive SSL certificate from third party CA
  2. Copy *.cer file to domain controller
  3. Import certificate. Ex: certreq -accept certfile.cer

Validate SSL certificate was installed correctly

  1. Open a new MMC console on the domain controller you installed the new SSL certificate
  2. Add Certificate snap-in
  3. Expand Certificates (Local Computer)
  4. Expand Personal
  5. Expand Certificates
  6. Validate that your certificate properties displays Server Authentication in the certificate properties.
  7. Restart the Domain controller

Verifying SSL Connection to Active Directory

After the SSL certificate is installed you can validate the connection.

  1. Start Active Directory Administration Tool (ldp.exe)
  2. Open a new connection to the domain controller with the certificate. Ex: Connection Menu>Connect
  3. Type the name of the DC with the SSL certificate.
  4. Type the port number. Ex: 636
  5. Click OK.
  6. The information should appear in the right pane indicating a successful connection.

Microsoft Articles

http://support.microsoft.com/default.aspx/kb/321051

http://technet.microsoft.com/en-us/library/cc782583.aspx

Subscribe For Latest Updates

Sign up for best of digital marketing, livestream and technology opinions on what matters to you.

Invalid email address
We promise not to spam you. You can unsubscribe at any time.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: