active directory: ldaps

create a request.inf like so
;—————– request.inf —————–


Signature=”$Windows NT$


Subject = “CN=*, C=US, S=Florida, L=Beach City, O=Some Company” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication




note: per microsoft the CN or the SAN must contain the FQDN of the DC (i.e.

then from a DC run:
certreq -new request.inf request.req
the req file is your CSR.


link to windows 8.1 sdk (includes makecert.exe utility for making self-signed certs):

using openssl to generate an ldaps cert:
openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
^use different filenames for the key and cert if you don’t want to combine the private key and cert into a single file
openssl pkcs12 -export -in mycert.pem -out mycert.p12
the pem minus the private key portion needs to be imported into the destination computer’s Trusted Root CAs store

sample with SANs:
openssl req -x509 -nodes -days 1825 -subj ‘/C=US/ST=Florida/L=Cocoa Beach/O=MyCompany/OU=IT/,’ -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

thus far with the openssl certs i have not had any luck with SANs and LDAPS. i can only get LDAPS to work if the CN = the server’s FQDN. no other variation works so far.

ldaps in relation to peoplesoft:

This entry was written by resinblade , posted on Wednesday June 03 2015at 05:06 pm , filed under IT . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Comments are closed.