pifer-grinnell-edu
asked on
Installing 3rd party certificate on multiple Server 2008 Active Directory servers
Looking at adding SSL to secure LDAP connections.
Primary need is to have the certificate installed on the Read Only AD server that will have the port opened up to specific IP addresses for hosted services off campus.
But would also like to add the option to the on campus AD servers that many devices connect to, as more of them are now supporting secure connection.
In reading through the Microsoft documentation, I am seeing the following:
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso
So if I have the following scenario:
ADRO.contoso.com (the read only server)
AD1.contoso.com
AD2.contoso.com
ADVM.contos.com
ADRemote.contoso.com (AD server that will placed in DR site)
There will also be a DNS name of LDAP.contoso.com that will point to multiple AD server IP addresses.
There may be another DNS name of LDAPOC.contoso.com that points to the single read only server (with the thought that there may be a 2nd one of these down the road, and wanting a single DNS name that can point to both)
and I would like to put a certificate on all of the servers, the question I have is whether I can do this with a single SAN certificate with all of the desired names, or if this will require separate certificates for each AD server that will break down the naming like:
Certificate #1
Subject:CN=ADRO.contoso.co
With altenate SAN name of DNS record of LDAPOC.contoso.com
Certicate #2
Subject:CN=AD1.contoso.com
With alternate SAN name of LDAP.contoso.com
Certificate #3
Subject:CN=AD2.contoso.com
With alternate SAN name of LDAP.contoso.com
Certificate #4
Subject:CN=ADVM.contoso.co
With alternate SAN name of LDAP.contoso.com
Certificate #5
Subject:CN=ADRemote.contos
With alternate SAN name of LDAP.contoso.com
Primary need is to have the certificate installed on the Read Only AD server that will have the port opened up to specific IP addresses for hosted services off campus.
But would also like to add the option to the on campus AD servers that many devices connect to, as more of them are now supporting secure connection.
In reading through the Microsoft documentation, I am seeing the following:
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso
So if I have the following scenario:
ADRO.contoso.com (the read only server)
AD1.contoso.com
AD2.contoso.com
ADVM.contos.com
ADRemote.contoso.com (AD server that will placed in DR site)
There will also be a DNS name of LDAP.contoso.com that will point to multiple AD server IP addresses.
There may be another DNS name of LDAPOC.contoso.com that points to the single read only server (with the thought that there may be a 2nd one of these down the road, and wanting a single DNS name that can point to both)
and I would like to put a certificate on all of the servers, the question I have is whether I can do this with a single SAN certificate with all of the desired names, or if this will require separate certificates for each AD server that will break down the naming like:
Certificate #1
Subject:CN=ADRO.contoso.co
With altenate SAN name of DNS record of LDAPOC.contoso.com
Certicate #2
Subject:CN=AD1.contoso.com
With alternate SAN name of LDAP.contoso.com
Certificate #3
Subject:CN=AD2.contoso.com
With alternate SAN name of LDAP.contoso.com
Certificate #4
Subject:CN=ADVM.contoso.co
With alternate SAN name of LDAP.contoso.com
Certificate #5
Subject:CN=ADRemote.contos
With alternate SAN name of LDAP.contoso.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.