RE: [ActiveDir] LDAPS question

[Guy Teverovsky]

Title: LDAPS question

It turned out to be a bit more complicated than I thought… I made some notes over here: http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html   I have not yet verified that LDAPS works with aliases when querying, but the cert installs fine and in theory has all the requirements… If you want to automate the process, you will probably want to tweak reqdccert.vbs to generate valid “Subject” in the [NewRequest] section. At least should give you a direction.   Guy   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, May 09, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question   Thanks Guy,   I've spent about 12hours trying to write a script that will include the Subject Alternative Name in the CSR.  I found the ICEnroll COM interface on MSDN and am using it to generate my request.  The request works fine; however, the Subject Alternative Name never seems to take when I request the cert.    Here's what I added to my script:   Call Request.addExtensionToRequest(True, "2.5.29.17", "ldap.company.net")   The call goes through without generating an error; however, it doesn't seem to take.   Has anyone out there successfully created a CSR using this extension?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 06, 2005 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question You will need to issue new certificates to the DCs with the ldap.company.net in the Subject Alternative Name section. The certificate requirements for DCs are specified in the following KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010 Though it is about 3rd part CAs, the requirements still apply even if you are using MS CA. The key point is that the certificate can not be issued to an alias (ldap.company.com) in the Subject field – the alias should be part of the Alternative Name together with DCs GUID.   Guy   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Saturday, May 07, 2005 1:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS question   We currently provide LDAPS to our customers.  Right now the certificates that we load on our DC uses the DC name and the clients connect using that name.  We'd like to set up a DNS alias like: ldap.company.net.  I tried generating a cert named ldap.company.net and loaded it on a DC; however, the clients were unable to connect. Does anyone know if MS has a restriction that will not allow a cert to be loaded for LDAPS if the name on the cert is not the same as the DC? Thanks