ferrarista
asked on
SAN Certificate for multiple Domain Controllers
Guys
I've been asked to install a single SAN certificate to 22 Domain Controllers for LDAPS usage.
I've found this Microsoft link (https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate) that gives me some information. Is this procedure correct ? Because it says I need to input the name of the DC, but I need to use an alias. The reason being, they must not reference the single DC (in case this is down, offline, etc.).
PS: I'm using an internal PKI (not third party).
Thanks for shedding some light...
I've been asked to install a single SAN certificate to 22 Domain Controllers for LDAPS usage.
I've found this Microsoft link (https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate) that gives me some information. Is this procedure correct ? Because it says I need to input the name of the DC, but I need to use an alias. The reason being, they must not reference the single DC (in case this is down, offline, etc.).
PS: I'm using an internal PKI (not third party).
Thanks for shedding some light...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I just issued the command certutil -getreg policy\editflags and it seems the CA is already configured to issue SAN certs.
I will now work on this....
I will now work on this....
ASKER
OK Radhakrishnan.
Pls bear with me.
I' m a bit confused. In order to use the same SAN certificate for all of the Domain Controllers (same domain), do I need to use a single ALIAS in the "SAN:" field, or populate it with each single DC ? (ie SAN:DNS=mydc1;mydc2;etc.) ??
Thanks again for your help.
Pls bear with me.
I' m a bit confused. In order to use the same SAN certificate for all of the Domain Controllers (same domain), do I need to use a single ALIAS in the "SAN:" field, or populate it with each single DC ? (ie SAN:DNS=mydc1;mydc2;etc.) ??
Thanks again for your help.
Hi,
I was just giving an example adding as domain, Ie. - if you have 3 domain a,b,c the add SAN:DNS=domain a; domain b; domain c. So same applicable to DC as well.
I was just giving an example adding as domain, Ie. - if you have 3 domain a,b,c the add SAN:DNS=domain a; domain b; domain c. So same applicable to DC as well.
ASKER
OK Rad. Thanks very much.
Resolution given
ASKER
can you tell me how I can check if the CA is configured to handle SAN certificates ?
regarding the san notation, if I decide to use, say, the alias MY_DC, how would that look like ?
Thanks!