July 29

Windows: Creating a Domain Authentication certificate (Mini version)

Creating a Domain Authentication certificate.

Here are the steps in creating a server certificate to allow LDAPS communication from any server to a Domain controller.

1. Connect to the domain controller
2. create a file called request.ini
3. Copy and paste the information below:


Signature=”$Windows NT$


Subject = “CN=servername.domainname.local” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; This is for Server Authentication

4. From a command line with administrator priviledges enter: certreq -new request.inf request.req
This will create your certificate request.
5. Goto your certificate server via it’s web interface: http://servername/certsrv
6. Click Request a certificate
7. Click advanced certificate request
8. Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal by using a base-64-encoded PKCS#7 file.”
9. Fill out the form as follows:

Request: text box copy and past the text that is inside the request.req file.

Certificate Template: Domain Controller Authentication

10. Click Submit

11. Download the Der and/or Base 64 encoded certificates

You are now ready to install the certificates into your server

Copyright 2021. All rights reserved.

Posted July 29, 2015 by Timothy Conrad in category "Windows

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B