Loading...
 

Greg`s Tech blog

Using a Verisign (or 3rd party) Certificate for AD Domain Controllers

Thursday 07 of April, 2005
If you are using a Microsoft CA, adding a cert to enable LDAP over SSL is a matter of simply installing the CA on a domain controller in the domain. The DCs all enroll automatically and you're done.

We've been struggling with how to add a 3rd party (Verisign) certificate to our Win2k3 AD domain controllers. Here's what we tried and what worked. If this helps you, please drop me a note at gmartinatgmartin.org

We first went to the MS knowledge base and found several articles. See the resoruces link below

They were mostly useless as few relate to Windows 2003. Particularly with how to generate the request. They refer to the Certificates snap-in. For whatever reason, you cannot generate a cert request using the snap-in. I believe it was tied to the MS CA.

The document with the real information is <a href="http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx" target="_blank">Advanced Certificate Enrollment and Management</a>

Read that document then follow these steps:

Create the reqdccert.vbs vbscript on the domain controller file system
Run the script on the domain controller console (or in a terminal service session). (I did so without any command-line switches)
The following files get created:
Svrname-req.bat
Svrname-vfy.bat
Svrname.asn
Svrname.b64
Svrname.bin
Svrname.inf

We're most interested in the .inf file. Open it with notepad and the contents should look like this:
{CODE}
Version
Signature= "$Windows NT$"

NewRequest
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
;
; The subject alternative name (SAN) can be included in the INF-file
; for a Windows 2003 CA.
; You don't have to specify the SAN when submitting the request.
;
Extensions
2.5.29.17=MDmCFmV0c250NjAuRVRTRVhULURFVi5PUkegHwYJKwYBBAGCNxkBoBIEEPgF35Q7
_continue_=S81CmLOxfJAMgC8=
Critical=2.5.29.17
;
; The template name can be included in the INF-file for any CA.
; You don't have to specify the template when submitting the request.
;
;RequestAttributes
;CertificateTemplate=DomainController
{CODE}

The section that says NewRequest. For Verisign, there must be a subject entry in this section and it must contain a lot of information. The subject we settled on looked like this:
Subject = "CN=ourServerName.ourDomain.org,OU=IT,O=ourOrg,C=US,S=somState,L=someCity"

Verisign requires the OU,O,C,S,L entries in order to generate the cert.
So make the changes and save the ifn file.

Now run the certreq -new svrname.inf svrname.req

The resulting .cer file can be used to request the certificate from Verisign.

Once you receive the cert back you import it using:

certutil -ACCEPT certfilename

Hope this helps.

\\Greg
If this helps you, please drop me a note at gmartinatgmartindotorg


<b>References</b>
Description of the requirements and of the troubleshooting methods that you can use to enable an LDAP client to communicate with an LDAP server over SSL
http://support.microsoft.com/default.aspx?scid=kb;en-us;290483

Requirements for Domain Controller Certificates from a Third-Party CA
http://support.microsoft.com/default.aspx?scid=kb;en-us;291010

Unable to Connect to a Domain Controller by Using LDAP Connection over SSL
http://support.microsoft.com/default.aspx?scid=kb;en-us;296975

How to enable LDAP over SSL with a third-party Certification Authority
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

Advanced Certificate Enrollment and Management
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx