|
Posted by Joe Kaplan on December 12, 2007, 12:24 pm
Please log in for more thread options Sure thing. I've found selfssl.exe from the IIS 6 res kit to be very useful
for quick generation of SSL certs. It takes the extra action of configuring
the cert generated in IIS (which you don't need for a DC), but you can
export the generated cert and use it very easily. It helps avoid having to
know the more confusing options with makecert for generating a proper SSL
cert (server auth OID, etc.).
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
> Hi Joe,
>
> yes it is for a test environment only !! (The name of DC's are regularly
> changed)
>
> And it was like a "challenge" for me, nothing else :D
>
> For real production, we will use commercial certification.
>
> Thank you Joe
>
> Fred
>
>
>
>> Is this for a test environment? Self-signed certs are ok for dinking
>> around, but they are almost never appropriate to be used for real.
>>
>> Note that you can get a perfectly good publicly rooted SSL cert from many
>> different places now for about $20. It isn't a big deal.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>>> Finally it works !
>>>
>>> I have deleted every certs then I have created them by using the command
>>> quoted below.
>>>
>>> After a reboot of the DC, the LDAP over 636 is working fine !
>>>
>>> Thank you
>>>> Hi,
>>>>
>>>> I would like to use LDAPS on my DC.
>>>> I have already read this article :
>>>>
>>>> but I am not able to create my self-signed certificate with certreq as
>>>> I dont have any CA in my domain to submit the "request.req" file.
>>>>
>>>> 1. So I tried to create my own certificate with makecert by using this
>>>> command :
>>>> "makecert -r -pe -n "CN=FQDN_OF_DC.domain.local" -b 01/01/2000 -e
>>>> 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky
>>>> exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"
>>>>
>>>> The certificate is created in Personal\Certificates (under Computer)
>>>> but when I watch the certificate status, I have a warning saying :
>>>> "This CA Root certificate is not trusted because it is not in the
>>>> Trusted Root Certification Authorities store.".
>>>>
>>>> 2. I have also tried to create a trusted root CA certificate by using
>>>> this command :
>>>> "makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer"
>>>> Then I have created a server certificate trusted by this "TempCA" by
>>>> typing this command :
>>>> "makecert -sk PourDC -iv TempCA.pvk -n "CN=FQDN_OF_DC.domain.local" -ic
>>>> TempCA.cer PourDC.cer -eku 1.3.6.1.5.5.7.3.1 -ss my -sr
>>>> localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic
>>>> Provider" -sy 12"
>>>>
>>>> When I try to connect (locally)to my LDAPS using ldp.exe (port 636 but
>>>> without SSL option marked) , I have an error "Error <0x51>: Fail to
>>>> connect to FQDN_OF_DC.domain.local."
>>>>
>>>> Do I need to install a CA only for my testing purpose ?
>>>> I think it is possible by using makecert and I would like to find how !
>>>> :D
>>>>
>>>>
>>>> Thank you
>>>>
>>>> P.S: Sorry for my english
>>>
>>> --
>>>
>>> bigstyle
>>> MVP Windows Server - Directory Services
>>> MCSE 2000/2003 Security
>>>
>>>
>
> --
>
> bigstyle
> MVP Windows Server - Directory Services
> MCSE 2000/2003 Security
>
>
| 
XML Sitemap