If you ever need to create a CA signed certificate for active directory, follow this procedure for each domain controller.

#Create a file called request.inf in the c:\temp directory

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject="CN=servername.domainname.edu, OU=College Of IT, O=Information Technology, L=City, S=YourState, C=US."

KeySpec = 1 KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance.

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]

Hashalgorithm = sha256

SAN="dns=name1.yourdomain.edu&dns=name2.yourdomain.edu"

;-----------------------------------------------

Then run the following commands:

cd c:\temp

certreq.exe -new .\request.inf youserver.domain.2015.req

#wait for certificate from CA

certreq.exe -Accept .\yourservername_yourdomain_edu-2015-SHA2.cer

#The certreq utility will put this cert in the personal store of the local computer. I open up both the local computer certificate store, as well as the certificate store for "Active Directory Domain Services". Once both personal stores are open, I simply drag the certificate into the "Active Directory Domain Services" personal store. Make sure you open up the cert and verify the certificate chain is ok etc. Active Directory will immediately see the new certificate and start using it if it is expire date is newer than the previous cert. So you don't have to remove the old cert first.

This process has been tested on Active Directory 2008 R2

#LDAPS #ActiveDirectory #requestinf #certreq