|
Posted by bigstyle [MVP] on December 13, 2007, 8:35 am
Please log in for more thread options
Thank you for the information about SelfSSL.exe !
> Sure thing. I've found selfssl.exe from the IIS 6 res kit to be very useful
> for quick generation of SSL certs. It takes the extra action of configuring
> the cert generated in IIS (which you don't need for a DC), but you can export
> the generated cert and use it very easily. It helps avoid having to know the
> more confusing options with makecert for generating a proper SSL cert (server
> auth OID, etc.).
>
> Best of luck!
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
>> Hi Joe,
>>
>> yes it is for a test environment only !! (The name of DC's are regularly
>> changed)
>>
>> And it was like a "challenge" for me, nothing else :D
>>
>> For real production, we will use commercial certification.
>>
>> Thank you Joe
>>
>> Fred
>>
>>
>>
>>> Is this for a test environment? Self-signed certs are ok for dinking
>>> around, but they are almost never appropriate to be used for real.
>>>
>>> Note that you can get a perfectly good publicly rooted SSL cert from many
>>> different places now for about $20. It isn't a big deal.
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>>> Finally it works !
>>>>
>>>> I have deleted every certs then I have created them by using the command
>>>> quoted below.
>>>>
>>>> After a reboot of the DC, the LDAP over 636 is working fine !
>>>>
>>>> Thank you
>>>>> Hi,
>>>>>
>>>>> I would like to use LDAPS on my DC.
>>>>> I have already read this article :
>>>>>
>>>>> but I am not able to create my self-signed certificate with certreq as I
>>>>> dont have any CA in my domain to submit the "request.req" file.
>>>>>
>>>>> 1. So I tried to create my own certificate with makecert by using this
>>>>> command :
>>>>> "makecert -r -pe -n "CN=FQDN_OF_DC.domain.local" -b 01/01/2000 -e
>>>>> 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange
>>>>> -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"
>>>>>
>>>>> The certificate is created in Personal\Certificates (under Computer) but
>>>>> when I watch the certificate status, I have a warning saying : "This CA
>>>>> Root certificate is not trusted because it is not in the Trusted Root
>>>>> Certification Authorities store.".
>>>>>
>>>>> 2. I have also tried to create a trusted root CA certificate by using
>>>>> this command :
>>>>> "makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer"
>>>>> Then I have created a server certificate trusted by this "TempCA" by
>>>>> typing this command :
>>>>> "makecert -sk PourDC -iv TempCA.pvk -n "CN=FQDN_OF_DC.domain.local" -ic
>>>>> TempCA.cer PourDC.cer -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine
>>>>> -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy
>>>>> 12"
>>>>>
>>>>> When I try to connect (locally)to my LDAPS using ldp.exe (port 636 but
>>>>> without SSL option marked) , I have an error "Error <0x51>: Fail to
>>>>> connect to FQDN_OF_DC.domain.local."
>>>>>
>>>>> Do I need to install a CA only for my testing purpose ?
>>>>> I think it is possible by using makecert and I would like to find how !
>>>>> :D
>>>>>
>>>>>
>>>>> Thank you
>>>>>
>>>>> P.S: Sorry for my english
>>>>
>>>> --
>>>>
>>>> bigstyle
>>>> MVP Windows Server - Directory Services
>>>> MCSE 2000/2003 Security
>>>>
>>>>
>>
>> --
>>
>> bigstyle
>> MVP Windows Server - Directory Services
>> MCSE 2000/2003 Security
>>
>>
--
bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security
| 
XML Sitemap