Forum Discussion

lkubler's avatar
lkubler
Copper Contributor
Jan 15, 2025

Configure Certificate for LDAPS and Others

Hi,

Thought I already posted this question but can't locate it now, so I guess it didn't work.  Let's try again...

I've been asked to setup secure LDAP on our network, and this is something completely new to me.  I've been searching around for tutorials and have found some but none of them go into how to create the certificate using Certificate Services.  I have been searching but all I'm finding is information on how to install a certificate authority, but that's as far as they go.

What I've learned so far is that we have a Certificate Authority (CA) and an Intermediate Authority (IA), all installed by an ex-colleague, who didn't leave any notes or instructions on how to use them.

I have learned somethings, like the CA should be protected and is powered down, I guess you power it up when you need it?  And when I look in Certificates on our Domain Controller, I see a certificate under Local Computer\Personal\Certificates but it was issued by the CA, not the IA and it expired last summer.  Not sure how to go about renewing it or creating a new one from the IA.

If someone can point me in the direction of an easy-to-follow tutorial on how to manually create certificates, I'd appreciate it.  So far, I'm not having any luck finding one.

Thanks in advance!

security
Windows Server

1 Reply

  • kyazaferr's avatar
    kyazaferr
    MCT
    Jan 16, 2025

    Verify Your CA and Intermediate CA

    Since you mentioned that your organization has a Certificate Authority (CA) and an Intermediate Authority (IA), first verify that your CA is properly installed and active.

    • Powering up the CA: It sounds like the CA is stored on a server that is usually powered down. Typically, a CA should be powered on when you need it to issue certificates. You can configure a Windows CA to issue certificates to domain controllers, and you can manage the CA through the Certification Authority management console (certsrv.msc).
    • Intermediate Authority (IA): If you're using an intermediate CA, make sure that the CA certificate and its chain are properly trusted by the clients (e.g., Domain Controllers) that will be using the certificate.

    2. Renew or Create a New Certificate for the Domain Controller

    If the certificate on your Domain Controller expired, you'll need to renew or create a new one. Here's how to do that:

    Renew the Certificate (If the Existing One Was Issued by Your CA):

    • On the Domain Controller:
      1. Open MMC (Microsoft Management Console) and add the Certificates snap-in for Local Computer.
      2. Go to Personal > Certificates.
      3. Find the expired certificate (issued by your CA).
      4. Right-click on the certificate and select All Tasks > Renew Certificate with Same Key.
      5. Follow the wizard and select your Internal CA to issue the certificate.
      This process will generate a renewed certificate using the existing key, which can be used for LDAPS.

    Create a New Certificate (If the Old One Was Invalid or Expired Long Ago):

    If renewing the certificate isn't feasible or you want to generate a new one, here's how to manually request a certificate:

    1. Request a Certificate from the CA:
      • Open MMC, add the Certificates snap-in for Local Computer.
      • Right-click on Certificates and choose All Tasks > Request New Certificate.
      • Follow the wizard to request a new certificate. You may need to specify that it should be for Server Authentication (for LDAPS).
      • Make sure the Subject is correctly filled in (typically the Fully Qualified Domain Name (FQDN) of the Domain Controller).
    2. Enroll the Certificate:
      • The CA will issue a new certificate. If you're using an Intermediate Authority, ensure that it is trusted and that the entire certificate chain (Root and Intermediate CAs) is available.
    3. Install the Certificate:
      • Once the new certificate is issued, it will appear under Certificates > Personal on the Domain Controller.
      • Double-click the certificate and make sure it has the appropriate purposes enabled (Server Authentication).

    3. Configure the Domain Controller to Use the New Certificate for LDAPS

    Now that you have the new certificate, you need to configure your Domain Controller to use it for LDAPS.

    • Verify LDAPS Binding:
      • LDAPS runs on port 636, so you need to ensure that your Domain Controller is listening on this port.
      • Run the following command to check if the LDAPS port is open: telnet <DomainControllerName> 636

Resources