Server 2003 CSR

Posted on 2011-10-10
Last Modified: 2013-07-06
I do not how certs work on Server 2003. I am NOT looking for a web cert. I need a certificate for an LDAP conection. Because we have different private and public domains , we need it keyed with a SAN.

So I need a CSR from our server 2003 DC for ldap not IIS. Do I still use IIS to make the CSR?
Question by:CCUITAdmin
    LVL 8

    Expert Comment


    There is no user interface for configuring LDAPS. Installing a valid certificate on a domain controller permits the LDAP service to listen for, and automatically accept, SSL connections for both LDAP and global catalog traffic.

    Generate the CSR from IIS and once you get it signed by the certificate authority(CA). Once you receive the certificate from CA, Import to the IIS website, where you had generated the CSR and then export the Private Key (.PFX).

    Import the private key you exported from IIS to the LDAP server Local Computer's Personal certificate store.


    Requirements for an LDAPS certificate
    To enable LDAPS, you must install a certificate that meets the following requirements:
    The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
    A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
    The Enhanced Key Usage extension includes the Server Authentication ( object identifier (also known as OID).
    The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    The Common Name (CN) in the Subject field.
    DNS entry in the Subject Alternative Name extension.
    The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
    You must use the Schannel cryptographic service provider (CSP) to generate the key.

    Creating the certificate request
    Any utility or application that creates a valid PKCS #10 request can be used to form the SSL certificate request. Use Certreq to form the request.

    Note The commands that are used in this article rely on the 2003 version of Certreq. In order to use the steps in this article on a Windows 2000 server, copy certreq.exe and certcli.dll from a Windows 2003 server into a temporary directory on the Windows 2000 server.

    Certreq.exe requires a text instruction file to generate an appropriate X.509 certificate request for a domain controller. You can create this file by using your preferred ASCII text editor. Save the file as an .inf file to any folder on your hard drive.

    To request a Server Authentication certificate that is suitable for LDAPS, follow these steps:
    Create the .inf file. Following is an example .inf file that can be used to create the certificate request.
    ;----------------- request.inf -----------------


    Signature="$Windows NT$


    Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
    KeySpec = 1
    KeyLength = 1024
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0


    OID= ; this is for Server Authentication

    Cut and paste the sample file into a new text file named Request.inf. Provide the fully qualified DNS name of the domain controller in the request.

    Note Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=", CN=<DC fqdn>, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US."
    Create the request file. To do this, type the following command at the command prompt, and then press ENTER:
    certreq -new request.inf request.req
    A new file called Request.req is created. This is the base64-encoded request file.
    Submit the request to a CA. You can submit the request to a Microsoft CA or to a third-party CA.
    Retrieve the certificate that is issued, and then save the certificate as Certnew.cer in the same folder as the request file. To do this, follow these steps:
    Create a new file called Certnew.cer.
    Open the file in Notepad, paste the encoded certificate into the file, and then save the file.
    Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requestor as base64-encoded text in an e-mail message.
    Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:
    certreq -accept certnew.cer
    Verify that the certificate is installed in the computer's Personal store. To do this, follow these steps:
    Start Microsoft Management Console (MMC).
    Add the Certificates snap-in that manages certificates on the local computer.
    Expand Certificates (Local Computer), expand Personal, and then expand Certificates.
    A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.
    Restart the domain controller.

    Verifying an LDAPS connection
    After a certificate is installed, follow these steps to verify that LDAPS is enabled:
    Start the Active Directory Administration Tool (Ldp.exe).

    Note This program is installed in the Windows 2000 Support Tools.
    On the Connection menu, click Connect.
    Type the name of the domain controller to which you want to connect.
    Type 636 as the port number.
    Click OK.

    RootDSE information should print in the right pane, indicating a successful connection.

    Possible issues
    Start TLS extended request
    LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.
    Multiple SSL certificates
    Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
    Pre-SP3 SSL certificate caching issue
    If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate. The SSL provider in Windows 2000 caches the LDAPS certificate and does not detect the change until the domain controller is restarted. This has been corrected in Service Pack 3 for Windows 2000.

    Accepted Solution


    Thank you so much for your help! I do have a few clarifying questions. We need the cert for an external third party company to access our server. We updated the global DNS records so that a name resolves to an outside IP which gets forwarded to our internal server. The requests comes into our firewall for

    and then get forwarded to a computer called


    does that change anything in your answer? I was going to fix that by use a subject alternate name in our cert, but I'm not sure if thats right approach. So in our case the CA would be godaddy?

    Author Comment

    We consulted several experts and tried various things. Nothing worked very well.

    Author Comment


    Author Closing Comment

    Good answer with lots of good info but didn't exactly do what we needed,

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    My purpose is to describe the basic concepts of virtual memory as implemented in a modern Windows-based operating system. I will also describe the problems inherent in older systems and how virtual memory solves them. The dark ages - before virtu…
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now