Following a previous article around LDAPS here, playing/discovering wldap32.dll and FPC.
Have a look at the code on github here.
You have a running ldap server but you want to be able to use ssl.
For this you need:
1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store
2-A CSR (certificate service request) triggered by the domain controller/ldap server
3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store
4-The root CA installed in the client/user certificate store
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.
With notepad, create the below request.inf file (adapt the CN with your server CN).
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US" ; KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=22.214.171.124.126.96.36.199.1 ; this is for Server Authentication
Generate your csr with certreq -new request.inf server.csr.
Sign your csr :
openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.
Reboot your DC : your ldap ssl server is now operational.
It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).
Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.
Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.
On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.