Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to setup LDAPS on Windows 2008 R2 Server

Posted on 2011-03-03
2
Medium Priority
?
1,226 Views
Last Modified: 2013-11-18
I purchased a SAN cert from Godaddy and am not sure what to do at this point. I have seen one answer that says to retup the request.inf as follows:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject="CN=DC1.YourDomain.local"  ; enter FQDN here - must be FQDN not another name
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
KeyLength=2048
KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
KeySpec=1
SMIME=TRUE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
; OID=1.3.6.1.4.1.311.20.2.2 ; Smart Card Logon - include even if you don't use SC right now ; comment out if going to a commercial CA - include if internally issued

[RequestAttributes]
; CertificateTemplate = WebServer ;Change to appropriate template name or OID ;Omit  line if CA is a stand-alone CA or commercial or other non-MS CA
; SAN = "dns=server1.domain.local&dns=server1&dns=ldap.domain.local&dns=server1&ipaddress=192.168.0.1" ; do not include if submitting to commercial CA - purchase a SAN cert and fill in during the appropriate step

Not sure if I need everything or not, but I would love some input. Also, I am using the cert for SSO from an external server, so I am not sure that setting the cert up with the Subject being the local server name (Subject="CN=DC1.YourDomain.local") would work for me. I am guessing that I need to setup an external DNS entry for the LDAP server, and use the external name as my server name (Subject="CN=LDAP.YourExternalDomain.com". Is that correct? Also, if I have 2 LDAP servers on my network, one being the root DC and the other the backup DC, should I be setting this cert up for the backup DC? When I open up communication between the external server and my LDAP server, my firewall will be set to only allow LDAPS communication from their IP to my IP, which will hoepfully lock it down.
0
Comment
Question by:Greg27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
Tasmant earned 2000 total points
ID: 35147188
you don't have to open any LDAP/LDAPS port on your external firewall.
if you request a certificate for a web server (using Godaddy).
just insert the FQDN of your webserver (the public name) just after "CN=mywebserver.domain.com".
the common name of the certificate will be "mywebserver.domain.com"
i think you can remove the whole [RequestAttributes] section, unless you want alternate name ot your certificate (SAN)
remove at least the CertificateTemplate line.
remove the OID for smart card logon.
save your file to request.inf
launch the command certreq -new request.inf certreq.req
then i think you can enter the content of the certreq.req file into godaddy to request your certificate.
0
 

Author Closing Comment

by:Greg27
ID: 35265065
Thanks Tasmant.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question