LDAPS via internet certificate: include internal or external FQDN?

Posted on 2011-05-06
Last Modified: 2013-11-05

I want to connect a mailfilter service (Mimecast) to our Active Directory with LDAPS via internet. I know I have to request a certificate. Regarding to the MS kb art. I should include the FQDN of the domain controller. I guess this is the internal FQDN (dc01.myad.local). But Mimecast will connect via the internet. So, I'll make an external DNS entry:, bound to a public IP adres linked to this domain controller (dc01.myad.local). Should I include the public DNS name in the certificate as well?, or just je public name, or just the internal name?

Thanks in advance!
Question by:MazarsAvR
    LVL 7

    Expert Comment

    you should have the public name as the DNS name

    the internal should be a subject alternative name(SAN). make sure you add BOTH teh FQDN and netbios name as SAN

    ALSO make sure that you create the request for the external certificate on the DC where it will be installed, as the DC will need the private key in order to use it for LDAPS.  use teh command line utility to import the final cert ( as per the article you have) and not the GUI MMC snapin, and after the cert import when you use teh certificates snapin to look at the cert, it should show at teh bottom that the certificate includes teh private key

    you must alos remember to remove teh exsiting selfsigne or selfenrolled certificates so that only the external certificate is on the server


    Accepted Solution

    I found the solution myself. The public DNS name was not required. Mimecast connects via IP address. Just the internal name of the domain controller should be in the CN of the certificate.

    Author Closing Comment

    Found the answer myself by testing.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now