While testing Active Directory on a closed private network, I needed LDAPs connections to the domain controllers. But I didn’t have any PKI/Certificate servers on the network and I didn’t want to build one.
So I decided to use a self-signed SSL certificate for LDAPs connections. If you reading this, you need one too. Here is how I did it.
- Logon to the Domain Controller
- Open PowerShell in elevated mode (Right-click on PowerShell, choose Run as Administrator)
- Next Run the New-SelfSignedCetificate cmdlet. NOTE: Replace the DnsName to your server’s FQDN name and NetBIOS name.
New-SelfSignedCertificate -DnsName SanFran-DC01.company.com, sanfran-dc01 -CertStoreLocation cert:\LocalMachine\My
- This cmdlet will create a self-signed cert with given DNSName and place it at Local Computer certificate store.
- Last step: Open Certificate console by click Start button & type Manage Computer Certificates and open it from the search results.

- Expand Personal >> Certificates and also expand Trusted Root Certificates >> Certificates

- Find the newly generated Self-Signed SSL Certificate in Personal >> Certificates.
- Select the Self-Signed Certificate and drag & drop to Trusted Room Certificates >> Certificates to trust the certificate on the domain controller.
- Close the Certificate console
Now you are ready to do LDAPs to this domain controller. If you want to validate it works, you can use LDP.exe tool.
- Open LDP.exe on the domain controller (or any other computer on the network)
- Click Connection menu and choose Connect…
- Type the domain controller FDQN and Port number as 636 and click OK. You should see “Established connection to <domain controller>” and the Base DN details.

Did this blog help you? Leave me a reply!
Hi Anand,
This article helped me. thanks for sharing
I am glad it helped you.
Pingback: Active Directory: Self-Signed certificate for LDAPs