Active Directory: Self-Signed certificate for LDAPs

While testing Active Directory on a closed private network, I needed LDAPs connections to the domain controllers. But I didn’t have any PKI/Certificate servers on the network and I didn’t want to build one.

So I decided to use a self-signed SSL certificate for LDAPs connections. If you reading this, you need one too. Here is how I did it.

  • Logon to the Domain Controller
  • Open PowerShell in elevated mode (Right-click on PowerShell, choose Run as Administrator)
  • Next Run the New-SelfSignedCetificate cmdlet. NOTE: Replace the DnsName to your server’s FQDN name and NetBIOS name.
New-SelfSignedCertificate -DnsName, sanfran-dc01 -CertStoreLocation cert:\LocalMachine\My 
  • This cmdlet will create a self-signed cert with given DNSName and place it at Local Computer certificate store.
  • Last step: Open Certificate console by click Start button & type Manage Computer Certificates and open it from the search results.
  • Expand Personal >> Certificates and also expand Trusted Root Certificates >> Certificates
  • Find the newly generated Self-Signed SSL Certificate in Personal >> Certificates.
  • Select the Self-Signed Certificate and drag & drop to Trusted Root Certificates >> Certificates to trust the certificate on the domain controller.
  • Close the Certificate console

Now you are ready to do LDAPs to this domain controller. If you want to validate it works, you can use LDP.exe tool.

  • Open LDP.exe on the domain controller (or any other computer on the network)
  • Click Connection menu and choose Connect…
  • Type the domain controller FDQN and Port number as 636 and click OK. You should see “Established connection to <domain controller>” and the Base DN details.

Did this blog help you? Leave me a reply!


8 thoughts on “Active Directory: Self-Signed certificate for LDAPs

  1. Hi Anand,
    This helped me alot. Thanks.
    On my part, once I dragged and dropped the cert from personal to trusted, the cert was deleted in the personal store. After this attempt via ldp.exe failed.
    I then added the cert to both stores i.e, Personal & Trusted. after this connectivity was fine for me.
    Thanks once again for pointing me in the right direction.

    1. Leaving the newly generated certificate on the Domain Controllers Personal Store and Trusted Root Certificate Authority worked. In addition, I exported the certificate, and installed the certificate on the client’s Trusted Root Certification store. Then I attempted to verify connection using LDP.EXE tool installed via RSAT. This guide and comment was helpful. Thanks.

  2. This was a great article. I followed the instructions to the letter but it still isn’t working for me. I added the self signed cert to both stores and I still get the following when I connect via the ldp tool.
    ld = ldap_sslinit(“mydomain.local”, 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error : Fail to connect to mydomain.local.

    The event viewer says
    LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

    Additional Data
    Error value:
    8009030e No credentials are available in the security package

    Any suggestions would be greatly appreciated.

Leave a Reply to Venky Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s