It turned out to be a bit more complicated
than I thought… I made some notes over here: http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html I have not yet verified that LDAPS works
with aliases when querying, but the cert installs fine and in theory has all
the requirements… If you want to automate the process, you
will probably want to tweak reqdccert.vbs to generate valid “Subject”
in the [NewRequest] section. At least should give you a direction. Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Thanks Guy, I've spent about 12hours trying to write a
script that will include the Subject Alternative Name in the CSR. I found
the ICEnroll COM interface on MSDN and am using it to generate my
request. The request works fine; however, the Subject Alternative Name
never seems to take when I request the cert. Here's what I added to my script: Call Request.addExtensionToRequest(True,
"2.5.29.17", "ldap.company.net") The call goes through without generating
an error; however, it doesn't seem to take. Has anyone out there successfully created
a CSR using this extension? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of You will need to issue new certificates to
the DCs with the ldap.company.net in the Subject Alternative Name section. The
certificate requirements for DCs are specified in the following KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010 Though it is about 3rd part
CAs, the requirements still apply even if you are using MS CA. The key point is
that the certificate can not be issued to an alias (ldap.company.com) in the
Subject field – the alias should be part of the Alternative Name together
with DCs GUID. Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph We currently
provide LDAPS to our customers. Right now the certificates that we load
on our DC uses the DC name and the clients connect using that name. We'd
like to set up a DNS alias like: ldap.company.net. I tried generating a
cert named ldap.company.net and loaded it on a DC; however, the clients were
unable to connect. Does
anyone know if MS has a restriction that will not allow a cert to be loaded for
LDAPS if the name on the cert is not the same as the DC? Thanks
|
Title: LDAPS question
- RE: [ActiveDir] LDAPS question Guy Teverovsky
- RE: [ActiveDir] LDAPS question Isenhour, Joseph
- RE: [ActiveDir] LDAPS question Guy Teverovsky
- RE: [ActiveDir] LDAPS question Isenhour, Joseph
- RE: [ActiveDir] LDAPS question Isenhour, Joseph
- RE: [ActiveDir] LDAPS question Guy Teverovsky