Following a previous article around LDAPS here, playing/discovering wldap32.dll and FPC.
Have a look at the code on github here.
You have a running ldap server but you want to be able to use ssl.
For this you need:
1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store
2-A CSR (certificate service request) triggered by the domain controller/ldap server
3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store
4-The root CA installed in the client/user certificate store
Step 1
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.
Step 2
With notepad, create the below request.inf file (adapt the CN with your server CN).
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
Generate your csr with certreq -new request.inf server.csr.
Step 3
Sign your csr :
openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.
Reboot your DC : your ldap ssl server is now operational.
Edit :
1/
It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).
Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.
2/
Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.
More here.
Step 4
On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.