Forum Discussion

ThanhNha0903's avatar
ThanhNha0903
Copper Contributor
Nov 07, 2023
Solved

Create and Import Certificate for all server Child AD

Hi Everyone, We are plaining to configure LDAPS for Active directory, but some question 1/ child domain is contoso.contosocorp.vn and but I know have two way create certificate    option 1: create...
Active Directory
windows server
  • LeonPavesic's avatar
    LeonPavesic
    Nov 07, 2023

    Hi ThanhNha0903,

    In regards to your questions about LDAPS configuration for Active Directory, here are some recommendations:

    1. Certificate Option:

    For the certificate, it is generally recommended to use a wildcard certificate (*.contoso.contosocorp.vn) instead of listing all server hostnames individually. This simplifies certificate management and avoids the need to update the certificate whenever a new server is added or removed.

    2. Certificate Import:

    The certificate should be imported to the NTDS Service's Personal certificate store. This ensures that the certificate is used by the Active Directory Domain Services (AD DS) service for secure LDAP communication. Importing the certificate to the Computer store would only make it available for general machine authentication, not specifically for LDAPS.

    Additional Considerations:

    • Ensure that the certificate is issued by a trusted Certificate Authority (CA).
    • Verify that the certificate's validity period is sufficient for your needs.
    • Distribute the certificate to all domain controllers in the child domain.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

LeonPavesic's avatar
LeonPavesic
Silver Contributor
Nov 09, 2023

Hi ThanhNha0903,

thanks for your update.

In this case, both SNs (adldap.contoso.contosocorp.vn and ldap.contoso.com.vn) are valid options for the Wildcard certificate (*.contoso.contosocorp.vn) for the AD Domain Child contoso.contosocorp.vn.

The choice between the two SNs depends on the specific requirements of your environment.

If you want to use the certificate for both AD LDS and LDAP connections, then using the SN adldap.contoso.contosocorp.vn is more appropriate. This is because the AD LDS service uses the adldap prefix for its default LDAP endpoints.

If you only need to use the certificate for LDAP connections, then using the SN ldap.contoso.com.vn is also valid. This SN is more generic and can be used for any LDAP-based application or service.

Ultimately, the choice of SN is a matter of preference and depends on your specific needs.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

ThanhNha0903's avatar
ThanhNha0903
Copper Contributor
Nov 14, 2023
Hi LeonPavesic,
Tks for replying,
I have used: adldap.contoso.com.vn for LDAP connection. So I want to use adldap.contoso.com.vn for LDAPS connection too. Because I have so many application so can not change to use another.
So do you know if use adldap.contoso.com.vn, have any impact on the future?