Home / server / Questions / 1166465
Accepted
shodanshok
Asked: 2024-10-11 13:04:14 +0800 CST

Active directory domain controllers and self-signed certificate

  • 772

To enable LDAPS I need certificates on both domain controllers. I can't use Certificate Services as I don't have a spare Windows machine and installing that role on a DC is a big no-no, so I would rather use a self-signed certificate with SANs covering both DCs (FQDN and short machine names).

Anything should I pay attention? For example:

  • should the certificate have a maximum duration (ie: 1, 5, 10, 100 years)?
  • can this disrupt/affect connection with client machine (unlikely as the DC have no certificate at the moment);
  • EFS - not having a CA means that clients themselves are responsible for their keys. What will happen with the self-signed certificate?
active-directory

1 Answers

  1. Best Answer

    To enable LDAPS there is nothing special to pay attention to apart from the usual things when using SSL certificates. More details here:

    Enable LDAP over SSL with a third-party certification authority

    To answer your examples:

    • duration is totally up to you and your own preferences.
    • there is no downtime when enabling LDAPS first by installing a proper certificate, neither when renewing it.
    • the clients just need to trust the certificate, best through a root certificate, which appears in the chain of the server certificate

    To test if your LDAPS is working properly you could use ldp.exe from the RSAT collection. Just change the the port to 636 and check the box at "SSL" when connecting.

    • 1