Solved

Installing 3rd party certificate on multiple Server 2008 Active Directory servers

Posted on 2012-03-20
1
460 Views
Last Modified: 2012-08-13
Looking at adding SSL to secure LDAP connections.
Primary need is to have the certificate installed on the Read Only AD server that will have the port opened up to specific IP addresses for hosted services off campus.

But would also like to add the option to the on campus AD servers that many devices connect to, as more of them are now supporting secure connection.

In reading through the Microsoft documentation, I am seeing the following:
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com


So if I have the following scenario:
ADRO.contoso.com (the read only server)
AD1.contoso.com
AD2.contoso.com
ADVM.contos.com
ADRemote.contoso.com (AD server that will placed in DR site)

There will also be a DNS name of LDAP.contoso.com that will point to multiple AD server IP addresses.
There may be another DNS name of LDAPOC.contoso.com that points to the single read only server (with the thought that there may be a 2nd one of these down the road, and wanting a single DNS name that can point to both)

and I would like to put a certificate on all of the servers, the question I have is whether I can do this with a single SAN certificate with all of the desired names, or if this will require separate certificates for each AD server that will break down the naming like:

Certificate #1
Subject:CN=ADRO.contoso.com
With altenate SAN name of DNS record of LDAPOC.contoso.com

Certicate #2
Subject:CN=AD1.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #3
Subject:CN=AD2.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #4
Subject:CN=ADVM.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #5
Subject:CN=ADRemote.contoso.com
With alternate SAN name of LDAP.contoso.com
0
Comment
Question by:pifer-grinnell-edu
1 Comment
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 37745863
single SAN certificate with all of the desired names will work fine or even a wildcard certificate (basically the same thing)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question