Forum Discussion
Create and Import Certificate for all server Child AD
Hi Everyone,
We are plaining to configure LDAPS for Active directory, but some question
1/ child domain is contoso.contosocorp.vn and but I know have two way create certificate
option 1: create certificate must have DNS Name all hostname of server AD
option 2: create Wildcard certificate *.contoso.contosocorp.vn
=> Please recommend help us Which option should choose?
2/ About import certificate for all server child AD then as I know have two way
option 1: Import to MMC -> Computer -> Certificate
option 2: Import to MMC -> service -> Active Directory domain services (NTDS Service's Personal certificate store)
=> Please recommend help us Which option should choose?
Hi ThanhNha0903,
In regards to your questions about LDAPS configuration for Active Directory, here are some recommendations:
1. Certificate Option:
For the certificate, it is generally recommended to use a wildcard certificate (*.contoso.contosocorp.vn) instead of listing all server hostnames individually. This simplifies certificate management and avoids the need to update the certificate whenever a new server is added or removed.
2. Certificate Import:
The certificate should be imported to the NTDS Service's Personal certificate store. This ensures that the certificate is used by the Active Directory Domain Services (AD DS) service for secure LDAP communication. Importing the certificate to the Computer store would only make it available for general machine authentication, not specifically for LDAPS.
Additional Considerations:
- Ensure that the certificate is issued by a trusted Certificate Authority (CA).
- Verify that the certificate's validity period is sufficient for your needs.
- Distribute the certificate to all domain controllers in the child domain.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
7 Replies
Hi ThanhNha0903,
In regards to your questions about LDAPS configuration for Active Directory, here are some recommendations:
1. Certificate Option:
For the certificate, it is generally recommended to use a wildcard certificate (*.contoso.contosocorp.vn) instead of listing all server hostnames individually. This simplifies certificate management and avoids the need to update the certificate whenever a new server is added or removed.
2. Certificate Import:
The certificate should be imported to the NTDS Service's Personal certificate store. This ensures that the certificate is used by the Active Directory Domain Services (AD DS) service for secure LDAP communication. Importing the certificate to the Computer store would only make it available for general machine authentication, not specifically for LDAPS.
Additional Considerations:
- Ensure that the certificate is issued by a trusted Certificate Authority (CA).
- Verify that the certificate's validity period is sufficient for your needs.
- Distribute the certificate to all domain controllers in the child domain.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- Hi Leon
Thanks for responding,
I have 02 question for 1. Certificate Option.
Question 1: Domain AD is contoso.contosocorp.vn if we create cert have SN *.contoso.contosocorp.vn and ldap.contoso.com.vn . Domain ldap.contoso.com.vn point to some AD and using for client connect then connect successful? Because don’t want client connect to one AD and when One AD maintenance only need change DNS IP of domain ldap.contoso.com.vn
Question 2: Domain AD is contoso.contosocorp.vn if we create cert have SN *.contoso.contosocorp.vn and ldap.contoso.contosocorp.vn point to some AD and using for client connect then connect successful? Because don’t want client connect to one AD and when One AD maintenance only need change DNS IP of domain ldap.contoso.contosocorp.vn
Kindest regards,
Nguyen Thanh NhaHi ThanhNha0903,
thanks for your update and additional questions:Question 1:
Yes, a certificate with the subject name (SN) .contoso.contosocorp.vn and ldap.contoso.com.vn is sufficient to allow clients to connect to either AD domain. This is because the wildcard character (*) in the SN matches any hostname within the contoso.contosocorp.vn domain. When a client attempts to connect to ldap.contoso.com.vn, the certificate will be presented to the client, enabling the client to verify its validity for that hostname.
Question 2:
Yes, if the DNS record for ldap.contoso.contosocorp.vn points to one of the AD domains and a certificate with the SN *.contoso.contosocorp.vn and ldap.contoso.contosocorp.vn is created, clients can connect to that AD domain using that certificate. This is because the SN *.contoso.contosocorp.vn matches any hostname within the contoso.contosocorp.vn domain, and the DNS record for ldap.contoso.contosocorp.vn resolves to a valid IP address. When a client attempts to connect to ldap.contoso.contosocorp.vn, the certificate will be presented to the client, enabling the client to verify its validity for that hostname.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
