{"id":1187,"date":"2021-06-14T17:22:35","date_gmt":"2021-06-14T15:22:35","guid":{"rendered":"https:\/\/ndk.sytes.net\/wordpress\/?p=1187"},"modified":"2021-06-14T17:25:02","modified_gmt":"2021-06-14T15:25:02","slug":"enable-ldaps-in-active-directory-with-openssl","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=1187","title":{"rendered":"Enable LDAPS in Active Directory with OpenSSL"},"content":{"rendered":"\n

Step 1: Create a Certificate Authority (CA) with OpenSSL<\/strong><\/h2>\n\n\n\n

Use the following commands to create a CA with a validity period of 10 years. The CA can be created on any machine using OpenSSL:<\/p>\n\n\n\n

openssl genrsa -out<\/code> ca.key 4096<\/code>
openssl req -new<\/code> -x509 -days<\/code> 3650 -key<\/code> ca.key -out<\/code> ca.crt<\/code><\/pre>\n\n\n\n
Go ahead and enter the asked information, here are some sample lines:<\/p>\n\n\n\n
Country Name (2 letter code) [AU]: US<\/code>
State or Province Name (full name) [Some-State]: New York<\/code>
Locality Name (eg, city) []: New York<\/code>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany<\/code>
Organizational Unit Name (eg, section) []: IT<\/code>
Common Name (e.g. server FQDN or YOUR name) []:<\/code>
Email Address []:<\/code><\/pre>\n\n\n\n
Step 2: Install the Certificate Authority (CA)<\/strong><\/h2>\n\n\n\n
  • Open MMC (Microsoft Management Console) by opening PowerShell and typing “mmc”<\/li>
  • when opened go to “File -> Add\/Remove Snap-in”<\/li>
  • and add “Certificates” to the list.<\/li>
  • Click on “Next” and select “Computer Account”, “Next”, “Local Computer”<\/li>
  • then “Finish” and go to the MMC window.<\/li>
  • Under “Trusted Root Certification Authorities”, right-click on the “Certificates” node, select “All Tasks -> Import…” and import the certificate created in step 1.<\/li><\/ul>\n\n\n\n
    Step 3: Create a Certificate Signing Request (CSR)<\/strong><\/h2>\n\n\n\n
    Create a new file with .inf extension (e.g. request.inf)<\/p>\n\n\n\n
    ;----------------- request.inf -----------------<\/code>
    [Version]<\/code>
    Signature=\"$Windows NT$\"<\/code>
    [NewRequest]<\/code>
    Subject = \"CN=ad1.server.com,OU=IT Department,DC=domain,DC=local,O=MyCompany,L=New York,S=New York,C=US\";<\/code>
    KeySpec = 1<\/code>
    KeyLength = <\/code>2048
    Exportable = TRUE<\/code>
    MachineKeySet = TRUE<\/code>
    SMIME = False<\/code>
    PrivateKeyArchive = FALSE<\/code>
    UserProtected = FALSE<\/code>
    UseExistingKeySet = FALSE<\/code>
    ProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"<\/code>
    ProviderType = 12<\/code>
    RequestType = PKCS10<\/code>
    KeyUsage = 0xa0<\/code>
    [EnhancedKeyUsageExtension]<\/code>
    OID=1.3.6.1.5.5.7.3.1; this is for Server Authenticatio<\/code>n<\/pre>\n\n\n\n
    Go ahead and change the Subject line to your needs. You could also raise the key length to 4096 if you want to.<\/p>\n\n\n\n
    Now that you created the file, create the signing request with:<\/p>\n\n\n\n
    certreq -new<\/code> request.inf MyDC.csr<\/code><\/pre>\n\n\n\n
    Step 4: Sign and accept the Certificate<\/strong><\/h2>\n\n\n\n
    You should now transfer the CSR back to the machine where you installed OpenSSL and sign the request with your CA and get the corresponding CRT:<\/p>\n\n\n\n
    openssl x509 -req -days 3650<\/code> -in MyDC.csr -CA ca.crt -CAkey ca.key -set_serial 01<\/code> -out MyDC.crt<\/code><\/pre>\n\n\n\n
    Transfer the created CRT file onto the server and execute in the PowerShell:<\/p>\n\n\n\n
    certreq -accept MyDC.crt<\/pre>\n\n\n\n
    Step 5: Install the Certificate<\/strong><\/h2>\n\n\n\n
    Assuming MMC (Certificates) is still open, expand the “Certificates” node under “Personal”, right-click on the “Certificates” node, select “All Tasks -> Import…” and import MyDC.crt<\/p>\n\n\n\n
    Step 7: Restart Active Directory<\/strong><\/h2>\n\n\n\n
    All that’s left is to reboot your AD server. Done.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Step 1: Create a Certificate Authority (CA) with OpenSSL Use the following commands to create a CA with a validity period of 10 years. The CA can be created on any machine using OpenSSL: openssl genrsa -out ca.key 4096openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Go ahead and enter the asked information, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,7,9],"tags":[],"class_list":["post-1187","post","type-post","status-publish","format-standard","hentry","category-linuxunix","category-servers","category-windows"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1187"}],"version-history":[{"count":3,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1187\/revisions"}],"predecessor-version":[{"id":1191,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1187\/revisions\/1191"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}