Enabling LDAPS on Windows Core DCs using Enterprise CA

# Example .inf file:

[Version]

Signature=”$Windows NT$”

 

[NewRequest]

Subject = “CN=dcname.domain.com.au”

KeySpec = 1

KeyLength = 2048

Exportable = TRUE

MachineKeySet = TRUE

SMIME = FALSE

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

 

[EnhancedKeyUsageExtension]

OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication

 

# Create CSR

certreq -new C:\temp\cert.inf c:\temp\csr.csr

# Issue cert on CA

certreq -submit -attrib “CertificateTemplate:2016KerberosAuthentication” “C:\Users\matt.soltau\Desktop\csr.csr”

– Copy cert.cer from CA to DC

# Accept cert on DC

certreq -accept c:\temp\cert.cer

# Copy Cert form Personal store to ADDS service

# Find Thumbprint (PowerShell)

> Cd Cert:\LocalMachine\My\

> Get-ChildItem

Copy-Item “HKLM:\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\<Thumbprint>” “HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\MY\Certificates\”

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...