Active Directory: Self-Signed certificate for LDAPs


While testing Active Directory on a closed private network, I needed LDAPs connections to the domain controllers. But I didn’t have any PKI/Certificate servers on the network and I didn’t want to build one.

So I decided to use a self-signed SSL certificate for LDAPs connections. If you reading this, you need one too. Here is how I did it.

  • Logon to the Domain Controller
  • Open PowerShell in elevated mode (Right-click on PowerShell, choose Run as Administrator)
  • Next Run the New-SelfSignedCetificate cmdlet. NOTE: Replace the DnsName to your server’s FQDN name and NetBIOS name.
New-SelfSignedCertificate -DnsName SanFran-DC01.company.com, sanfran-dc01 -CertStoreLocation cert:\LocalMachine\My 
  • This cmdlet will create a self-signed cert with given DNSName and place it at Local Computer certificate store.
  • Last step: Open Certificate console by click Start button & type Manage Computer Certificates and open it from the search results.
  • Expand Personal >> Certificates and also expand Trusted Root Certificates >> Certificates
  • Find the newly generated Self-Signed SSL Certificate in Personal >> Certificates.
  • Select the Self-Signed Certificate and drag & drop to Trusted Room Certificates >> Certificates to trust the certificate on the domain controller.
  • Close the Certificate console

Now you are ready to do LDAPs to this domain controller. If you want to validate it works, you can use LDP.exe tool.

  • Open LDP.exe on the domain controller (or any other computer on the network)
  • Click Connection menu and choose Connect…
  • Type the domain controller FDQN and Port number as 636 and click OK. You should see “Established connection to <domain controller>” and the Base DN details.

Did this blog help you? Leave me a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s