Forum Discussion
Create and Import Certificate for all server Child AD
Hi ThanhNha0903,
In regards to your questions about LDAPS configuration for Active Directory, here are some recommendations:
1. Certificate Option:
For the certificate, it is generally recommended to use a wildcard certificate (*.contoso.contosocorp.vn) instead of listing all server hostnames individually. This simplifies certificate management and avoids the need to update the certificate whenever a new server is added or removed.
2. Certificate Import:
The certificate should be imported to the NTDS Service's Personal certificate store. This ensures that the certificate is used by the Active Directory Domain Services (AD DS) service for secure LDAP communication. Importing the certificate to the Computer store would only make it available for general machine authentication, not specifically for LDAPS.
Additional Considerations:
- Ensure that the certificate is issued by a trusted Certificate Authority (CA).
- Verify that the certificate's validity period is sufficient for your needs.
- Distribute the certificate to all domain controllers in the child domain.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Thanks for responding,
I have 02 question for 1. Certificate Option.
Question 1: Domain AD is contoso.contosocorp.vn if we create cert have SN *.contoso.contosocorp.vn and ldap.contoso.com.vn . Domain ldap.contoso.com.vn point to some AD and using for client connect then connect successful? Because don’t want client connect to one AD and when One AD maintenance only need change DNS IP of domain ldap.contoso.com.vn
Question 2: Domain AD is contoso.contosocorp.vn if we create cert have SN *.contoso.contosocorp.vn and ldap.contoso.contosocorp.vn point to some AD and using for client connect then connect successful? Because don’t want client connect to one AD and when One AD maintenance only need change DNS IP of domain ldap.contoso.contosocorp.vn
Kindest regards,
Nguyen Thanh Nha
Hi ThanhNha0903,
thanks for your update and additional questions:
Question 1:
Yes, a certificate with the subject name (SN) .contoso.contosocorp.vn and ldap.contoso.com.vn is sufficient to allow clients to connect to either AD domain. This is because the wildcard character (*) in the SN matches any hostname within the contoso.contosocorp.vn domain. When a client attempts to connect to ldap.contoso.com.vn, the certificate will be presented to the client, enabling the client to verify its validity for that hostname.
Question 2:
Yes, if the DNS record for ldap.contoso.contosocorp.vn points to one of the AD domains and a certificate with the SN *.contoso.contosocorp.vn and ldap.contoso.contosocorp.vn is created, clients can connect to that AD domain using that certificate. This is because the SN *.contoso.contosocorp.vn matches any hostname within the contoso.contosocorp.vn domain, and the DNS record for ldap.contoso.contosocorp.vn resolves to a valid IP address. When a client attempts to connect to ldap.contoso.contosocorp.vn, the certificate will be presented to the client, enabling the client to verify its validity for that hostname.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
- Hi LeonPavesic,
Tks for replying,
So, I have created Wildcard certificate *.contoso.contosocorp.vn with AD Domain Child is contoso.contosocorp.vn, include Subjects Name (SN) below:
adldap.contoso.contosocorp.vn
ldap.contoso.com.vn
=> Please recommend help us Which SN should choose?Hi ThanhNha0903,
thanks for your update.In this case, both SNs (adldap.contoso.contosocorp.vn and ldap.contoso.com.vn) are valid options for the Wildcard certificate (*.contoso.contosocorp.vn) for the AD Domain Child contoso.contosocorp.vn.
The choice between the two SNs depends on the specific requirements of your environment.
If you want to use the certificate for both AD LDS and LDAP connections, then using the SN adldap.contoso.contosocorp.vn is more appropriate. This is because the AD LDS service uses the adldap prefix for its default LDAP endpoints.If you only need to use the certificate for LDAP connections, then using the SN ldap.contoso.com.vn is also valid. This SN is more generic and can be used for any LDAP-based application or service.
Ultimately, the choice of SN is a matter of preference and depends on your specific needs.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- Hi LeonPavesic,
Tks for replying,
I have used: adldap.contoso.com.vn for LDAP connection. So I want to use adldap.contoso.com.vn for LDAPS connection too. Because I have so many application so can not change to use another.
So do you know if use adldap.contoso.com.vn, have any impact on the future?