I'm trying to enable SSL for Active Directory in our domain. The problem I'm running into is that the server is failing to recognize the certificate I've made for it. Whenever I try to query the server using ssl (using ldp.exe), I get event 36886 which basically states that a suitable certificate could not be found on the server.
I've gone through this kb article for troubleshooting and here's what I've got
I've placed the cert on the local machine's certificate store, under the Personal container. I used openssl on a Linux machine as the CA and have placed its certificate under the Trusted Root Certification Authorities container.
My domain controllers FQDN is in the Subject of the cert. An alternate name has also been added in the extendedKeyUsage section, neither works when querying.
- I have serverAuth and clientAuth in the EnhancedKeyUsage section
When I double click the cert in the mmc console, it states at the bottom that "You have a private key that corresponds to this certificate" however, as per the KB instructions I run the
certutil -verifykeys
command and it returnsThe system cannot find the file specified
.When I double click the cert and go to Certification Path, it lists my CA and then the certificate, then below it says This certificate is OK, so I'm assuming that means the chain is valid.
It's the only certificate in the Personal store for the computer
When I do something like
certutil -verifystore MY 0
it lists the cert and the only complaints it has is about the revocation list because I never made a crl, but it still says the certificate is valid at the end.
I'm guessing the reason it's failing is tied to why certutil -verifykeys
is failing, but I haven't been able to find what it actually means when I get the error that I do.
Can anyone point me in the right direction?
Enable the CAPI2 event log. The error events in the CAPI2 log usually provides more information about the issues with the certificate.
Applications and Services Logs > Microsoft > Windows > CAPI2
CRL is a requirement for SSL. You have to fix that first. Everything else I am listing is stuff you can check if that doesn't resolve it.
Since you are getting an error verifying the key, make sure the ACL on the MachineKeys folder is correct, and that the Private Key does not use Strong Private Key Encryption.
You said you put the Linux machine's certificate in the Trusted Root folder. Did you do that on the DCs and the client?
References:
http://blogs.technet.com/b/instan/archive/2009/01/05/schannel-36872-or-schannel-36870-on-a-domain-controller.aspx
This link is for LDAPS, but includes good information on SSL, since it is required: https://support2.microsoft.com/default.aspx?scid=kb;en-us;321051