Re: Create certificate with makecert for LDAPS on a DC ?

Thank you for the information about SelfSSL.exe !


Sure thing. I've found selfssl.exe from the IIS 6 res kit to be very useful for quick generation of SSL certs. It takes the extra action of configuring the cert generated in IIS (which you don't need for a DC), but you can export the generated cert and use it very easily. It helps avoid having to know the more confusing options with makecert for generating a proper SSL cert (server auth OID, etc.).

Best of luck!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"bigstyle [MVP]" <newsgroup@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:mn.64407d7c08d456d5.70874@xxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Joe,

yes it is for a test environment only !! (The name of DC's are regularly changed)

And it was like a "challenge" for me, nothing else :D

For real production, we will use commercial certification.

Thank you Joe

Fred



Is this for a test environment? Self-signed certs are ok for dinking around, but they are almost never appropriate to be used for real.

Note that you can get a perfectly good publicly rooted SSL cert from many different places now for about $20. It isn't a big deal.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"bigstyle [MVP]" <newsgroup@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:mn.62d37d7cfd7a2c5e.70874@xxxxxxxxxxxxxxxxxxxxxxxxxx
Finally it works !

I have deleted every certs then I have created them by using the command quoted below.

After a reboot of the DC, the LDAP over 636 is working fine !

Thank you
Hi,

I would like to use LDAPS on my DC.
I have already read this article : http://support.microsoft.com/default.aspx/kb/321051 ...

but I am not able to create my self-signed certificate with certreq as I dont have any CA in my domain to submit the "request.req" file.

1. So I tried to create my own certificate with makecert by using this command :
"makecert -r -pe -n "CN=FQDN_OF_DC.domain.local" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"

The certificate is created in Personal\Certificates (under Computer) but when I watch the certificate status, I have a warning saying : "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.".

2. I have also tried to create a trusted root CA certificate by using this command :
"makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer"
Then I have created a server certificate trusted by this "TempCA" by typing this command :
"makecert -sk PourDC -iv TempCA.pvk -n "CN=FQDN_OF_DC.domain.local" -ic TempCA.cer PourDC.cer -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"

When I try to connect (locally)to my LDAPS using ldp.exe (port 636 but without SSL option marked) , I have an error "Error <0x51>: Fail to connect to FQDN_OF_DC.domain.local."

Do I need to install a CA only for my testing purpose ?
I think it is possible by using makecert and I would like to find how !
:D


Thank you

P.S: Sorry for my english

--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security



--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security



--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security


.

Relevant Pages

  • Re: Installing an existing GoDaddy SSL on another SBS box....
    ... Certificate' and then 'Assign an existing certificate'. ... I've got a functional GoDaddy SSL cert installed and working on my ... vanilla install so far. ... I got an error that there was no pending request for the ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA goes to RWW...
    ... then your ssl cert needs to exactly match the name you are ... "There is a problem with this websites security certificate". ... I just did some work on a buddy's SBS server setting up Exchange, ... access OWA internally successfully. ...
    (microsoft.public.windows.server.sbs)
  • Re: Enable LDAP over SSL
    ... so you don't have a valid certificate installed. ... The cert must be in the personal container of the local machine store ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Event Category: LDAP Interface ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enable LDAP over SSL
    ... Is it possible for you to right click on the certificate enrollment request ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Securing Webservice
    ... is) in the trusted root store. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services ... The information message says "This certificate cannot be verified up to ...
    (microsoft.public.dotnet.framework.aspnet.security)