While testing Active Directory on a closed private network, I needed LDAPs connections to the domain controllers. But I didn’t have any PKI/Certificate servers on the network and I didn’t want to build one.
So I decided to use a self-signed SSL certificate for LDAPs connections. If you reading this, you need one too. Here is how I did it.
- Logon to the Domain Controller
- Open PowerShell in elevated mode (Right-click on PowerShell, choose Run as Administrator)
- Next Run the New-SelfSignedCetificate cmdlet. NOTE: Replace the DnsName to your server’s FQDN name and NetBIOS name.
New-SelfSignedCertificate -DnsName SanFran-DC01.company.com, sanfran-dc01 -CertStoreLocation cert:\LocalMachine\My
- This cmdlet will create a self-signed cert with given DNSName and place it at Local Computer certificate store.
- Last step: Open Certificate console by click Start button & type Manage Computer Certificates and open it from the search results.
- Expand Personal >> Certificates and also expand Trusted Root Certificates >> Certificates
- Find the newly generated Self-Signed SSL Certificate in Personal >> Certificates.
- Select the Self-Signed Certificate and drag & drop to Trusted Root Certificates >> Certificates to trust the certificate on the domain controller.
- Close the Certificate console
Now you are ready to do LDAPs to this domain controller. If you want to validate it works, you can use LDP.exe tool.
- Open LDP.exe on the domain controller (or any other computer on the network)
- Click Connection menu and choose Connect…
- Type the domain controller FDQN and Port number as 636 and click OK. You should see “Established connection to <domain controller>” and the Base DN details.
Did this blog help you? Leave me a reply!
8 thoughts on “Active Directory: Self-Signed certificate for LDAPs”
This article helped me. thanks for sharing
I am glad it helped you.
This helped me alot. Thanks.
On my part, once I dragged and dropped the cert from personal to trusted, the cert was deleted in the personal store. After this attempt via ldp.exe failed.
I then added the cert to both stores i.e, Personal & Trusted. after this connectivity was fine for me.
Thanks once again for pointing me in the right direction.
Leaving the newly generated certificate on the Domain Controllers Personal Store and Trusted Root Certificate Authority worked. In addition, I exported the certificate, and installed the certificate on the client’s Trusted Root Certification store. Then I attempted to verify connection using LDP.EXE tool installed via RSAT. This guide and comment was helpful. Thanks.
Simple solution. Just what I was looking for. THANKS!
This was an enormous help. Thank you for taking the time to write this up! Cheers.
This was a great article. I followed the instructions to the letter but it still isn’t working for me. I added the self signed cert to both stores and I still get the following when I connect via the ldp tool.
ld = ldap_sslinit(“mydomain.local”, 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Error : Fail to connect to mydomain.local.
The event viewer says
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
8009030e No credentials are available in the security package
Any suggestions would be greatly appreciated.