resinblade.net » active directory: ldaps

active directory: ldaps

steps:
create a request.inf like so
;—————– request.inf —————–

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=*.mydomain.com, C=US, S=Florida, L=Beach City, O=Some Company” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]

SAN=”dns=ldaps.mydomain.com&dns=dc1.mydomain.com”

;———————————————–

note: per microsoft the CN or the SAN must contain the FQDN of the DC (i.e. dc1.mydomain.com)

then from a DC run:
certreq -new request.inf request.req
the req file is your CSR.

sources:
https://support.microsoft.com/en-us/kb/321051
https://support.microsoft.com/en-us/kb/931351

link to windows 8.1 sdk (includes makecert.exe utility for making self-signed certs): https://msdn.microsoft.com/en-us/library/windows/desktop/bg162891.aspx

using openssl to generate an ldaps cert:
openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
^use different filenames for the key and cert if you don’t want to combine the private key and cert into a single file
openssl pkcs12 -export -in mycert.pem -out mycert.p12
sources:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/126c3644-3632-407b-a850-72be82766849/ldap-over-ssl-windows-server-2000-vs-windows-server-2008
http://www.decalage.info/security/cert4tests
the pem minus the private key portion needs to be imported into the destination computer’s Trusted Root CAs store

sample with SANs:
openssl req -x509 -nodes -days 1825 -subj ‘/C=US/ST=Florida/L=Cocoa Beach/O=MyCompany/OU=IT/CN=ldaps2.mydomain1.com/emailAddress=admin@mycompany.com/subjectAltName=DNS.1=dc1.mydomain2.com,DNS.2=dc2.mydomain2.com’ -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
source: http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

thus far with the openssl certs i have not had any luck with SANs and LDAPS. i can only get LDAPS to work if the CN = the server’s FQDN. no other variation works so far.

ldaps in relation to peoplesoft:
http://docs.oracle.com/cd/E38689_01/pt853pbr0/eng/pt/tsec/task_UsingLDAPOverSSLLDAPS-9b7e4e.html

This entry was written by resinblade , posted on Wednesday June 03 2015at 05:06 pm , filed under IT . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Comments are closed.

active directory: ldaps

Categories

About

Admin

Technology

Meta