Solved

Installing 3rd party certificate on multiple Server 2008 Active Directory servers

Posted on 2012-03-20
1
452 Views
Last Modified: 2012-08-13
Looking at adding SSL to secure LDAP connections.
Primary need is to have the certificate installed on the Read Only AD server that will have the port opened up to specific IP addresses for hosted services off campus.

But would also like to add the option to the on campus AD servers that many devices connect to, as more of them are now supporting secure connection.

In reading through the Microsoft documentation, I am seeing the following:
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com


So if I have the following scenario:
ADRO.contoso.com (the read only server)
AD1.contoso.com
AD2.contoso.com
ADVM.contos.com
ADRemote.contoso.com (AD server that will placed in DR site)

There will also be a DNS name of LDAP.contoso.com that will point to multiple AD server IP addresses.
There may be another DNS name of LDAPOC.contoso.com that points to the single read only server (with the thought that there may be a 2nd one of these down the road, and wanting a single DNS name that can point to both)

and I would like to put a certificate on all of the servers, the question I have is whether I can do this with a single SAN certificate with all of the desired names, or if this will require separate certificates for each AD server that will break down the naming like:

Certificate #1
Subject:CN=ADRO.contoso.com
With altenate SAN name of DNS record of LDAPOC.contoso.com

Certicate #2
Subject:CN=AD1.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #3
Subject:CN=AD2.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #4
Subject:CN=ADVM.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #5
Subject:CN=ADRemote.contoso.com
With alternate SAN name of LDAP.contoso.com
0
Comment
Question by:pifer-grinnell-edu
1 Comment
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
Comment Utility
single SAN certificate with all of the desired names will work fine or even a wildcard certificate (basically the same thing)
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now