Solved

Installing 3rd party certificate on multiple Server 2008 Active Directory servers

Posted on 2012-03-20
1
458 Views
Last Modified: 2012-08-13
Looking at adding SSL to secure LDAP connections.
Primary need is to have the certificate installed on the Read Only AD server that will have the port opened up to specific IP addresses for hosted services off campus.

But would also like to add the option to the on campus AD servers that many devices connect to, as more of them are now supporting secure connection.

In reading through the Microsoft documentation, I am seeing the following:
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com


So if I have the following scenario:
ADRO.contoso.com (the read only server)
AD1.contoso.com
AD2.contoso.com
ADVM.contos.com
ADRemote.contoso.com (AD server that will placed in DR site)

There will also be a DNS name of LDAP.contoso.com that will point to multiple AD server IP addresses.
There may be another DNS name of LDAPOC.contoso.com that points to the single read only server (with the thought that there may be a 2nd one of these down the road, and wanting a single DNS name that can point to both)

and I would like to put a certificate on all of the servers, the question I have is whether I can do this with a single SAN certificate with all of the desired names, or if this will require separate certificates for each AD server that will break down the naming like:

Certificate #1
Subject:CN=ADRO.contoso.com
With altenate SAN name of DNS record of LDAPOC.contoso.com

Certicate #2
Subject:CN=AD1.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #3
Subject:CN=AD2.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #4
Subject:CN=ADVM.contoso.com
With alternate SAN name of LDAP.contoso.com

Certificate #5
Subject:CN=ADRemote.contoso.com
With alternate SAN name of LDAP.contoso.com
0
Comment
Question by:pifer-grinnell-edu
1 Comment
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 37745863
single SAN certificate with all of the desired names will work fine or even a wildcard certificate (basically the same thing)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need to disable SSL Cipher 7 74
Change administrator password on server 13 54
Unable to add new user to AD 2 24
Locating a GPO setting 3 31
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question