Greg's Tech blog

Using a Verisign (or 3rd party) Certificate for AD Domain Controllers

Thursday 07 of April, 2005

If you are using a Microsoft CA, adding a cert to enable LDAP over SSL is a matter of simply installing the CA on a domain controller in the domain. The DCs all enroll automatically and you're done.

We've been struggling with how to add a 3rd party (Verisign) certificate to our Win2k3 AD domain controllers. Here's what we tried and what worked. If this helps you, please drop me a note at gmartinatgmartin.org

We first went to the MS knowledge base and found several articles. See the resoruces link below

They were mostly useless as few relate to Windows 2003. Particularly with how to generate the request. They refer to the Certificates snap-in. For whatever reason, you cannot generate a cert request using the snap-in. I believe it was tied to the MS CA.

The document with the real information is <a href="http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx" target="_blank">Advanced Certificate Enrollment and Management</a>

Read that document then follow these steps:

Create the reqdccert.vbs vbscript on the domain controller file system
Run the script on the domain controller console (or in a terminal service session). (I did so without any command-line switches)
The following files get created:

We're most interested in the .inf file. Open it with notepad and the contents should look like this:
Signature= "$Windows NT$"

KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

; The subject alternative name (SAN) can be included in the INF-file
; for a Windows 2003 CA.
; You don't have to specify the SAN when submitting the request.
; The template name can be included in the INF-file for any CA.
; You don't have to specify the template when submitting the request.

The section that says NewRequest. For Verisign, there must be a subject entry in this section and it must contain a lot of information. The subject we settled on looked like this:
Subject = "CN=ourServerName.ourDomain.org,OU=IT,O=ourOrg,C=US,S=somState,L=someCity"

Verisign requires the OU,O,C,S,L entries in order to generate the cert.
So make the changes and save the ifn file.

Now run the certreq -new svrname.inf svrname.req

The resulting .cer file can be used to request the certificate from Verisign.

Once you receive the cert back you import it using:

certutil -ACCEPT certfilename

Hope this helps.

If this helps you, please drop me a note at gmartinatgmartindotorg

Description of the requirements and of the troubleshooting methods that you can use to enable an LDAP client to communicate with an LDAP server over SSL

Requirements for Domain Controller Certificates from a Third-Party CA

Unable to Connect to a Domain Controller by Using LDAP Connection over SSL

How to enable LDAP over SSL with a third-party Certification Authority

Advanced Certificate Enrollment and Management