LDAP over SSL implementation

Transitioning from 2003 domain controllers to 2012.  The previous admin installed CA on the 2003 DC (we are assuming) to enable ldap over ssl but it isn't functioning correctly.  I can connect using ldp.exe over ssl when I'm local on the old 2003 server, but when testing from clients it doesn't work.  The error is below:

ld = ldap_sslinit("server.domain.local", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to server.domain.local.

What would be the best option to get ldap ssl working on server 2012?  The new 2012 server is in place and all the roles have been transferred.  The only thing we would be currently using it for would be AD integration for our firewall, but that may change in the future.  Should we migrate the CA from 2003 to 2012 and try to get that working or get rid of the 2003 CA and import a certificate from a third party?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
Do you use the CA for anything else? Do you wish to maintain an internal CA?

If it's not used for anything else, and you don't want to maintain a CA, and no one objects to the cost of a third party certificate you can, of course, use one.

The requirements for third party certificates are here:


Personally I used a 2012 CA and the KDC authentication template, but to use that you must maintain a CA (and all its associated components).

Is the cert issued to the server for the LDAP server still valid? Is the certificate chain for the certificate valid?
jasp101Author Commented:
We don't have a need for an internal CA.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jasp101Author Commented:
Domain is an internal name...asked digicert about it and they are going to stop supporting internal domains at the end of this year.  So I will have to either use an internal CA or rename the domain.
jasp101Author Commented:
Another update.  Certificate from old 2003 CA was expired.  After renewing and waiting for everything to update, I can connect via ldp.exe over ssl.  I guess my next step is to migrate the CA to the new 2012 DC.
Chris DentPowerShell DeveloperCommented:
You might consider decommissioning the old CA and bringing a new one online if all it does is issue certificates for the DCs. If nothing else is issued you don't need to consider retaining CRLs, or the root key, or anything at all really.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.