Share via

Query on LDAP

Glenn Maxwell 12,216 Reputation points
2025-02-04T22:52:19.9766667+00:00

Hi All,

I want to generate an LDAP CSR request. I have the following text file, which I will save with the .inf extension (i.e., ldap.inf). From the command prompt, I will execute the following command:

certreq -new ldap.inf ldapcsr.req

Once I have the certificate, I will run the following command on the same VM where I generated the CSR request:

certreq -accept C:\Temp\cert.crt

Do I need to include the SAN name ldap.contoso.com? Which of the following is correct? (Please refer the last line in my text file)

_continue_ = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"

or 

 _continue_ = "&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"

Are the following lines correctly added in my text file?

Subject = "CN=ldap.contoso.com" ; Replace with the FQDN of the DC 
C = US 
ST = MYST 
L = MYL 
O = Contoso, Inc.

My Text File


;----------------- request.inf -----------------
;----- requested on ALL DCs-----

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=ldap.contoso.com" ; replace with the FQDN of the DC
C = US
ST = MYST
L = MYL
O = Contoso, Inc.
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,890 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,567 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,639 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,846 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,896 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 33,775 Reputation points MVP
    2025-02-04T23:47:13.9133333+00:00

    Follow https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Glenn Maxwell 12,216 Reputation points
    2025-02-05T05:24:46.89+00:00

    Can i use like this.

    Subject = "CN=ldap.contoso.com"m C = US, OU=Domain Controllers, ST = MYST, L = MYL, O = Contoso, Inc.,"

    continue = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"

    ;----------------- request.inf -----------------
;----- requested on ALL DCs-----

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=ldap.contoso.com"m C = US, OU=Domain Controllers, ST = MYST, L = MYL, O = Contoso, Inc.," ;
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.