Active Directory: Self-Signed certificate for LDAPs


While testing Active Directory on a closed private network, I needed LDAPs connections to the domain controllers. But I didn’t have any PKI/Certificate servers on the network and I didn’t want to build one.

So I decided to use a self-signed SSL certificate for LDAPs connections. If you reading this, you need one too. Here is how I did it.

  • Logon to the Domain Controller
  • Open PowerShell in elevated mode (Right-click on PowerShell, choose Run as Administrator)
  • Next Run the New-SelfSignedCetificate cmdlet. NOTE: Replace the DnsName to your server’s FQDN name and NetBIOS name.
New-SelfSignedCertificate -DnsName SanFran-DC01.company.com, sanfran-dc01 -CertStoreLocation cert:\LocalMachine\My 
  • This cmdlet will create a self-signed cert with given DNSName and place it at Local Computer certificate store.
  • Last step: Open Certificate console by click Start button & type Manage Computer Certificates and open it from the search results.
  • Expand Personal >> Certificates and also expand Trusted Root Certificates >> Certificates
  • Find the newly generated Self-Signed SSL Certificate in Personal >> Certificates.
  • Select the Self-Signed Certificate and drag & drop to Trusted Room Certificates >> Certificates to trust the certificate on the domain controller.
  • Close the Certificate console

Now you are ready to do LDAPs to this domain controller. If you want to validate it works, you can use LDP.exe tool.

  • Open LDP.exe on the domain controller (or any other computer on the network)
  • Click Connection menu and choose Connect…
  • Type the domain controller FDQN and Port number as 636 and click OK. You should see “Established connection to <domain controller>” and the Base DN details.

Did this blog help you? Leave me a reply!

5 thoughts on “Active Directory: Self-Signed certificate for LDAPs

  1. Hi Anand,
    This helped me alot. Thanks.
    On my part, once I dragged and dropped the cert from personal to trusted, the cert was deleted in the personal store. After this attempt via ldp.exe failed.
    I then added the cert to both stores i.e, Personal & Trusted. after this connectivity was fine for me.
    Thanks once again for pointing me in the right direction.
    Regards.

    1. Leaving the newly generated certificate on the Domain Controllers Personal Store and Trusted Root Certificate Authority worked. In addition, I exported the certificate, and installed the certificate on the client’s Trusted Root Certification store. Then I attempted to verify connection using LDP.EXE tool installed via RSAT. This guide and comment was helpful. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s