Windows: Creating a Domain Authentication certificate (Mini version)
Creating a Domain Authentication certificate.
Here are the steps in creating a server certificate to allow LDAPS communication from any server to a Domain controller.
1. Connect to the domain controller
2. create a file called request.ini
3. Copy and paste the information below:
Subject = “CN=servername.domainname.local” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=184.108.40.206.220.127.116.11.1 ; This is for Server Authentication
4. From a command line with administrator priviledges enter: certreq -new request.inf request.req
This will create your certificate request.
5. Goto your certificate server via it’s web interface: http://servername/certsrv
6. Click Request a certificate
7. Click advanced certificate request
8. Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal by using a base-64-encoded PKCS#7 file.”
9. Fill out the form as follows:
Request: text box copy and past the text that is inside the request.req file.
Certificate Template: Domain Controller Authentication
10. Click Submit
11. Download the Der and/or Base 64 encoded certificates
You are now ready to install the certificates into your server