Create certificate with makecert for LDAPS on a DC ?

---

• From: bigstyle [MVP] <newsgroup@xxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 12 Dec 2007 11:17:31 +0100

---

Hi,

I would like to use LDAPS on my DC.
I have already read this article : http://support.microsoft.com/default.aspx/kb/321051 ...

but I am not able to create my self-signed certificate with certreq as I dont have any CA in my domain to submit the "request.req" file.

1. So I tried to create my own certificate with makecert by using this command :
"makecert -r -pe -n "CN=FQDN_OF_DC.domain.local" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"

The certificate is created in Personal\Certificates (under Computer) but when I watch the certificate status, I have a warning saying : "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.".

2. I have also tried to create a trusted root CA certificate by using this command :
"makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer"
Then I have created a server certificate trusted by this "TempCA" by typing this command :
"makecert -sk PourDC -iv TempCA.pvk -n "CN=FQDN_OF_DC.domain.local" -ic TempCA.cer PourDC.cer -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"

When I try to connect (locally)to my LDAPS using ldp.exe (port 636 but without SSL option marked) , I have an error "Error <0x51>: Fail to connect to FQDN_OF_DC.domain.local."

Do I need to install a CA only for my testing purpose ?
I think it is possible by using makecert and I would like to find how ! :D


Thank you

P.S: Sorry for my english

--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security


.

---

• Follow-Ups:
  • Re: Create certificate with makecert for LDAPS on a DC ?
    • From: bigstyle [MVP]

• Prev by Date: Re: PKI in multi sites/domains environment
• Next by Date: Re: Create certificate with makecert for LDAPS on a DC ?
• Previous by thread: Re: Printing security problem
• Next by thread: Re: Create certificate with makecert for LDAPS on a DC ?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Connect exchange mailbox using http "Outlook 2003" ... this to make sure that it is in the computers trusted root store. ... certificate on my laptop and the connection just goes straight in now. ... Outlook will verify the certificate back to the Certificate Authority ... I am running Exchange Server 2003 and am trying to connect via http ... (microsoft.public.outlook.installation) Certificate Trust List ... EventID 36885 is registered when a user presents a client certificate. ... Patch the server from Windows Update including refreshing trusted root ... Install a client certificate issued by the CA from step 4 to IE6. ... On the server the following event is recorded in the System Log: ... (microsoft.public.inetserver.iis.security) Re: Server certificate instance refuses ... have you configured the IIS server mapping? ... "Arek Lichwa" wrote in message ... > using mmc snapin for certificate moved the apropriate cert to trusted root ... (microsoft.public.win2000.security) Re: Server certificate instance refuses ... using mmc snapin for certificate moved the apropriate cert to trusted root ... client, the client cert (issued by thawte for post.polcard.com.pl with valid ... > 1) The Server certificate should chain up to a trusted root on the client ... (microsoft.public.win2000.security) Re: Server certificate instance refuses ... The Server certificate should chain up to a trusted root on the client ... The client certificate should chain up to a trusted root on the server ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2007-12