How does one generate a self-signed (later a CSR for a real cert) SSL certificate for three domain controllers (dc1.example.com dc2.example.com dc3.example.com) for the Windows domain EXAMPLE.COM for use with LDAP
The subject, I believe, should be EXAMPLE.COM with three Subject Alternative Names being the dns names for each DC.
How do I generate this certificate preferably with openssl, and definitely without installing certificate services?
EDIT:
An additional requirement is accomplishing this using only existing tools built in to RHEL 6, Windows 2008 R2, or software which can be acquired from Microsoft directly.
No need to use any GUI wrappers to the OpenSSL really, they never include all the options and add no value to the library. Nothing wrong with firing up the OpenSSL console, hitting
?to list all the commands and finding clarification on-line for those that you might need, IMHO. ;)First thing to do is to make sure you have a valid
openssl.cnffile in your openssl installation folder. If you're missing this file, then you can download it from here. Place this file in your openssl path and set the required environment variable to point to it:You will also need an additional config file with your domain controllers listed. Simplest is to just echo your list in a new file:
Or you could create a new config file with a notepad, whatever. It will only require this single line in it:
Then start the openssl console (openssl.exe) and create your self-signed certificate using these two configuration files (the
openssl.cnfwill load with thereqcommand automatically from the environment variableOPENSSL_CONFwe set previously):Enter all the required data as it asks you to. You might want to skip entering the password phrase (
A challenge password []) if this certificate will be used on a web server, not to require entering it each time you restart it. In which case just leave that field blank.We're nearly done. Now we only need to generate our certificate and pass it the other configuration file to include our DNS aliases (or in your case all three domain controllers):
That's it. You should have your new
example.com.crt,example.com.keyandexample.com.csrfiles ready to go in your openssl folder, and updated with the additional configuration that we set. You can check your certificate that it includes our DNS names (notepad will do, these values are in clear text).Obviously, you could change these values to reflect your needs and this is only an example, using your own example values. If you don't want to fire up the OpenSSL console, then you can run all these commands from the system console just as well, preceding any command with a call to OpenSSL.exe with
openssl. That's exactly equal to having OpenSSL console open.Hope that's what you wanted to do, don't hesitate to ask for clarification in the comments,
Cheers!
Assuming a single DC can't handle the LDAP over SSL needs and that SASL isn't an option.
If you want a self-signed SSL cert like that you will probably need Selfssl7 found here: http://blogs.iis.net/thomad/archive/2010/04/16/setting-up-ssl-made-easy.aspx
It should be able to create what you are looking for.
Without the framework you would be missing Certificate Revocation List (CRLs) and you'd still need a way to install a trusted root CA. So without the framework, you are probably going to have a tough time of it.
And the certificate services are built into Windows 2008, so other than enabling the features/roles, you shouldn't need anything other than what you already have.