Greg27
asked on
How to setup LDAPS on Windows 2008 R2 Server
I purchased a SAN cert from Godaddy and am not sure what to do at this point. I have seen one answer that says to retup the request.inf as follows:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="CN=DC1.YourDomain .local" ; enter FQDN here - must be FQDN not another name
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
KeyLength=2048
KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
KeySpec=1
SMIME=TRUE
[EnhancedKeyUsageExtension ]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
; OID=1.3.6.1.4.1.311.20.2.2 ; Smart Card Logon - include even if you don't use SC right now ; comment out if going to a commercial CA - include if internally issued
[RequestAttributes]
; CertificateTemplate = WebServer ;Change to appropriate template name or OID ;Omit line if CA is a stand-alone CA or commercial or other non-MS CA
; SAN = "dns=server1.domain.local& dns=server 1&dns=ldap .domain.lo cal&dns=se rver1&ipad dress=192. 168.0.1" ; do not include if submitting to commercial CA - purchase a SAN cert and fill in during the appropriate step
Not sure if I need everything or not, but I would love some input. Also, I am using the cert for SSO from an external server, so I am not sure that setting the cert up with the Subject being the local server name (Subject="CN=DC1.YourDomai n.local") would work for me. I am guessing that I need to setup an external DNS entry for the LDAP server, and use the external name as my server name (Subject="CN=LDAP.YourExte rnalDomain .com". Is that correct? Also, if I have 2 LDAP servers on my network, one being the root DC and the other the backup DC, should I be setting this cert up for the backup DC? When I open up communication between the external server and my LDAP server, my firewall will be set to only allow LDAPS communication from their IP to my IP, which will hoepfully lock it down.
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="CN=DC1.YourDomain
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
KeyLength=2048
KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
KeySpec=1
SMIME=TRUE
[EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
; OID=1.3.6.1.4.1.311.20.2.2
[RequestAttributes]
; CertificateTemplate = WebServer ;Change to appropriate template name or OID ;Omit line if CA is a stand-alone CA or commercial or other non-MS CA
; SAN = "dns=server1.domain.local&
Not sure if I need everything or not, but I would love some input. Also, I am using the cert for SSO from an external server, so I am not sure that setting the cert up with the Subject being the local server name (Subject="CN=DC1.YourDomai
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER