Share via

Query on LDAP

Glenn Maxwell 12,336 Reputation points
2025-02-04T22:52:19.9766667+00:00

Hi All,

I want to generate an LDAP CSR request. I have the following text file, which I will save with the .inf extension (i.e., ldap.inf). From the command prompt, I will execute the following command:

certreq -new ldap.inf ldapcsr.req

Once I have the certificate, I will run the following command on the same VM where I generated the CSR request:

certreq -accept C:\Temp\cert.crt

Do I need to include the SAN name ldap.contoso.com? Which of the following is correct? (Please refer the last line in my text file)

_continue_ = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"

or 

 _continue_ = "&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"

Are the following lines correctly added in my text file?

Subject = "CN=ldap.contoso.com" ; Replace with the FQDN of the DC 
C = US 
ST = MYST 
L = MYL 
O = Contoso, Inc.

My Text File


;----------------- request.inf -----------------
;----- requested on ALL DCs-----

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=ldap.contoso.com" ; replace with the FQDN of the DC
C = US
ST = MYST
L = MYL
O = Contoso, Inc.
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,907 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,575 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,704 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,887 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,903 questions
0 comments
Accepted answer
  1. Marcin Policht 35,595 Reputation points MVP
    2025-02-05T13:28:14.72+00:00

    Create a separate request for each domain controller - include ldap.contoso.com as SAN. In general, you might want to be able to revoke the corresponding certs for individual DCs - rather than being limited to revoking the cert for all DCs at the same time

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 35,595 Reputation points MVP
    2025-02-04T23:47:13.9133333+00:00

    Follow https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Glenn Maxwell 12,336 Reputation points
    2025-02-05T05:24:46.89+00:00

    Can i use like this.

    Subject = "CN=ldap.contoso.com"m C = US, OU=Domain Controllers, ST = MYST, L = MYL, O = Contoso, Inc.,"

    continue = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"

    ;----------------- request.inf -----------------
;----- requested on ALL DCs-----

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=ldap.contoso.com"m C = US, OU=Domain Controllers, ST = MYST, L = MYL, O = Contoso, Inc.," ;
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "&dns=ldap.contoso.com&dns=dc01.contoso.com&dns=dc02.contoso.com&dns=dc03.contoso.com"
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.