The customer wants to use a COMODO signed TLS certificate for LDAPS on a Windows Server 2012 R2 domain contoller.
The certificate was already purchased but the CSR wasn't created on the domain controller (as per https://support.microsoft.com/en-us/kb/321051).
The certificate fullfills the requirements to be used for ADDS:
- The common name is the DC's FQDN
- The certificate can be used for client and server authentication
- The certificate has several SAN entries for alternative DNS names of the domain controller
I've now imported the certificate, the private key and all intermediate certificates into both, the local computer certificate store and the NTDS\Personal certificate store.
However, after importing the certificate using the Certificate MMC Snap-in, the certificate isn't used for LDAPS in ADDS:
Schannel, 36869: The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
I can see that the domain controller tries to use this certificate because the message changes if the certificate is removed:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
Is there any way to add this certificate so that schannel can use it (i have the private key, the csr, the certificate and all intermediate certificates)?