Skip to content

Instantly share code, notes, and snippets.

@np422

np422/win_ad_ssl.md

Forked from magnetikonline/README.md
Last active February 7, 2017 10:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save np422/85cc6e9328692230c9afdb2c0ae64b20 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save np422/85cc6e9328692230c9afdb2c0ae64b20 to your computer and use it in GitHub Desktop.
Download ZIP
Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers.
Raw
win_ad_ssl.md

Enable LDAP over SSL

Create root certificate

From the OpenSSL machine (linux), create new private key and root certificate.

$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

You should now have a resulting ca.key and ca.crt

Import root certificate into trusted store of domain controller

  • From the active directory server, open Manage computer certificates.
  • Add the generated ca.crt to the certificate path Trusted Root Certification Authorities\Certificates.
  • Done.

Create client certificate

From the active directory server:

  • Create a new request.inf definition with the following contents - replacing ACTIVE_DIRECTORY_FQDN with the qualified domain name of your active directory server:

     [Version]
 Signature="$Windows NT$"

 [NewRequest]
 Subject = "CN=ACTIVE_DIRECTORY_FQDN"
 KeySpec = 1
 KeyLength = 1024
 Exportable = TRUE
 MachineKeySet = TRUE
 SMIME = FALSE
 PrivateKeyArchive = FALSE
 UserProtected = FALSE
 UseExistingKeySet = FALSE
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 ProviderType = 12
 RequestType = PKCS10
 KeyUsage = 0xa0

 [EnhancedKeyUsageExtension]
 OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication

  • Run the following to create a new client certificate request of client.csr (note: it's critical this is run from the active directory server to ensure a private key -> certificate association):

     C:\> certreq -new request.inf client.csr

Back to OpenSSL system:

  • Create v3ext.txt containing the following:

     keyUsage=digitalSignature,keyEncipherment
 extendedKeyUsage=serverAuth
 subjectKeyIdentifier=hash

  • Create a certificate client.crt from certificate request client.csr and root certificate (with private key):

     $ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -set_serial 01 -out client.crt

  • Verify generated certificate:

     $ openssl x509 -in client.crt -text

  • Ensure the following X509v3 extensions are all present:

    • X509v3 Key Usage: Digital Signature, Key Encipherment
    • X509v3 Extended Key Usage: TLS Web Server Authentication
    • X509v3 Subject Key Identifier

Accept and import certificate

  • From the active directory server with client.crt present, run the following:

     C:\> certreq -accept client.crt

  • Open Manage computer certificates, the new certificate should now be present under Personal\Certificates. Ensure that:

    • Certificate has a private key association.
    • The "Intended Purposes" is defined as "Server Authentication".
    • Certificate name is the FQDN of the active directory server.

Reload active directory SSL certificate

Reboot server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment