Forum Discussion

lkubler's avatar
lkubler
Copper Contributor
Jan 14, 2025

LDAPS and Certificate Creation

Hi, I've been asked to setup secure LDAP and convert all of our LDAP services to LDAPS.  Something totally new to me, so I've been trying to teach myself.  One issue I've run into is I'm not finding...
Windows Server
kyazaferr's avatar
kyazaferr
MCT
Oct 08, 2025

 

A Certificate Authority (CA) or Enterprise Root CA already installed (you can also use an Intermediate CA).

The Domain Controllers must be domain-joined and reachable.

You must have Domain Admin or Enterprise Admin privileges.

Verify your Certificate Authority setup

If you already have a Root CA and an Intermediate CA:

Keep the Root CA powered off for security — this is normal.

The Intermediate CA (IA) is used to issue certificates to domain controllers.

Make sure both Root and Intermediate CA certificates are trusted on all domain members.

You can check this under:

certmgr.msc → Trusted Root Certification Authorities
certmgr.msc → Intermediate Certification Authorities


If you do not have an Enterprise CA yet:

Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

 Create or duplicate a certificate template for Domain Controllers

On the CA (Certification Authority) server, open the Certification Authority console.

Right-click Certificate Templates → Manage.

Find and duplicate one of these templates:

Kerberos Authentication

or Domain Controller Authentication

On the new template:

General tab: give it a clear name (e.g. LDAPS-DC-Certificate).

Extensions tab: make sure Server Authentication (1.3.6.1.5.5.7.3.1) is listed under Application Policies.

Subject Name tab:
Select Build from this Active Directory information → Fully distinguished name must be checked.

Security tab:
Grant Enroll and Autoenroll permissions to:

Domain Controllers

or a specific group (e.g. “Domain Controllers” built-in group)

Close the template and go back to the main CA window.

Right-click Certificate Templates → New → Certificate Template to Issue, then select the new template (LDAPS-DC-Certificate).

Auto-enroll or manually request the certificate on each Domain Controller
Option A – via Group Policy (recommended)

Open Group Policy Management → Edit your Default Domain Controllers Policy.

Go to:

Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies


Enable:

Certificate Services Client – Auto-Enrollment

Configure it as Enabled, Renew expired certificates, and Update certificates that use certificate templates.

Force a GP update on each DC:

gpupdate /force


The certificate should appear automatically under:

certlm.msc → Personal → Certificates

Option B – manual enrollment

If auto-enrollment doesn’t work:

Run certlm.msc on the DC (Certificates – Local Computer).

Go to Personal → Certificates → All Tasks → Request New Certificate → Next → Active Directory Enrollment Policy → Next.

Select your new template (e.g. LDAPS-DC-Certificate).

Click Enroll and verify that the certificate is issued successfully.

Verify the certificate on the Domain Controller

In certlm.msc, open the new certificate and check:

Property    Expected
Intended Purposes    Server Authentication
Issued To    The FQDN of the Domain Controller (e.g. dc01.domain.local)
Issued By    Your Intermediate CA
Valid From/To    Current date range
Private Key    Present (shows “You have a private key corresponding to this certificate”)
Restart services or reboot the DC

After the new certificate is installed:

Restart-Service NTDS
Restart-Service KDC
Restart-Service DNS


Or simply reboot the DC.
This ensures the new certificate is loaded by the Schannel (SSL/TLS) subsystem.

Test LDAPS connection
Method 1 – Using LDP.exe

Run ldp.exe (installed with RSAT or AD DS Tools).

Go to:

Connection → Connect


Enter:

Server: dc01.domain.local

Port: 636

Check SSL

Click OK — if the RootDSE info appears, LDAPS works.

Method 2 – Using PowerShell
Test-NetConnection dc01.domain.local -Port 636


If you see “TcpTestSucceeded : True”, LDAPS is listening and ready.

 Use the same CA to issue certificates for other systems

Once your CA/IA setup works, you can reuse it for other internal systems:

VMware vCenter

Web applications (IIS, monitoring tools, etc.)

File servers (SMB over TLS, HTTPS management consoles)

You just need to:

Create a new Web Server or Custom Web Certificate Template with Server Authentication EKU.

Enroll or auto-enroll each server using that template.

 Summary
Step    Action
1    Verify Root + Intermediate CA trust
2    Duplicate and issue a new certificate template for Domain Controllers
3    Allow auto-enrollment for Domain Controllers
4    Request and verify the new certificate
5    Restart AD DS to apply the certificate
6    Test LDAPS on port 636
7    Reuse CA for other internal web systems

Resources