You have a running ldap server but you want to be able to use ssl.<\/p>\n\n\n\n
For this you need:<\/p>\n\n\n\n
1-A root CA (certificate authority) installed on the domain controller\/ldap server in the computer \u00ab\u00a0root\u00a0\u00bb store<\/p>\n\n\n\n
2-A CSR (certificate service request) triggered by the domain controller\/ldap server<\/p>\n\n\n\n
3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller\/ldap server in the computer \u00ab\u00a0my\u00a0\u00bb store<\/p>\n\n\n\n
4-The root CA installed in the client\/user certificate store<\/p>\n\n\n\n
Step 1<\/strong><\/p>\n\n\n\n openssl genrsa -des3 -out ca.key 4096<\/p>\n\n\n\n openssl req -new -x509 -days 3650 -key ca.key -out ca.crt<\/p>\n\n\n\n launch mmc.exe, load the certificate snap-in, select \u00ab\u00a0computer account\u00a0\u00bb, choose the \u00ab\u00a0trusted root CA\u00a0\u00bb and import your ca.crt.<\/p>\n\n\n\n Step 2<\/strong><\/p>\n\n\n\n With notepad, create the below request.inf file (adapt the CN with your server CN).<\/p>\n\n\n\n <\/p>\n\n\n\n Generate your csr with certreq -new request.inf server.csr.<\/p>\n\n\n\n <\/p>\n\n\n\n Step 3<\/strong><\/p>\n\n\n\n Sign your csr :<\/p>\n\n\n\n openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt<\/p>\n\n\n\n launch mmc.exe, load the certificate snap-in, select \u00ab\u00a0computer account\u00a0\u00bb, choose the \u00ab\u00a0MY\u00a0\u00bb store and import your server.crt.<\/p>\n\n\n\n Reboot your DC : your ldap ssl server is now operational.<\/p>\n\n\n\n Edit : <\/p>\n\n\n\n 1\/<\/p>\n\n\n\n It appears it is better to put the cert in the NT Directory Services (NTDS)\u00a0store (choose the NTSD service rather than \u00ab\u00a0computer account\u00a0\u00bb in the MMC snap-in).<\/p>\n\n\n\n Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.<\/p>\n\n\n\n 2\/<\/p>\n\n\n\n Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.<\/p>\n\n\n\n More here<\/a>.<\/p>\n\n\n\n <\/p>\n\n\n\n Step 4<\/strong><\/p>\n\n\n\n On your user\/client, launch mmc.exe, load the certificate snap-in, select \u00ab\u00a0user account\u00a0\u00bb, choose the \u00ab\u00a0trusted root CA\u00a0\u00bb store and import your ca.crt to allow your user\/client to validate the server cert.<\/p>\n","protected":false},"excerpt":{"rendered":" You have a running ldap server but you want to be able to use ssl. For this you need: 1-A root CA (certificate authority) installed on the domain controller\/ldap server in the computer \u00ab\u00a0root\u00a0\u00bb store 2-A CSR (certificate service request) triggered by the domain controller\/ldap server 3-A CSR signed by your root ca thus giving […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[128,129],"tags":[126,127],"class_list":["post-2394","post","type-post","status-publish","format-standard","hentry","category-ldap","category-ssl","tag-ldap","tag-ssl","category-128-id","category-129-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2394"}],"version-history":[{"count":5,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2394\/revisions"}],"predecessor-version":[{"id":2410,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2394\/revisions\/2410"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}};----------------- request.inf -----------------\n\n[Version]\n\nSignature=\"$Windows NT$\"\n\n[NewRequest]\n\nSubject = \"CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US\"\n;\nKeySpec = 1\nKeyLength = 1024\nExportable = TRUE\nMachineKeySet = TRUE\nSMIME = False\nPrivateKeyArchive = FALSE\nUserProtected = FALSE\nUseExistingKeySet = FALSE\nProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"\nProviderType = 12\nRequestType = PKCS10\nKeyUsage = 0xa0\n\n[EnhancedKeyUsageExtension]\n\nOID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication<\/code><\/pre>\n\n\n\n