On a Windows 2003 Server create the following text file:
;----------------- request.inf -----------------
Subject = "CN=" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=18.104.22.168.22.214.171.124.1 ; this is for Server Authentication
Within the .inf file, replace the subject line with your Domain Controllers FQDN.
Open up a command line prompt window (Start > Run > cmd) and change to the directory where the INF is saved. Once there type the following:
certreq -new request.inf request.req
The .req file is the Base64 CSR which will be submitted to the Certificate authority on the Domain Controller.
Submit the .req file. Although the Certificate Authority Snap-in for MMC can be used to submit the .req, this article utilizes the WebUI.
Download and save the certificate in Base 64 encoded format.
Open up a command line prompt window (Start > Run > cmd) and change to the directory where the certificate is saved. Accept the certificate using the following command:
certreq -accept certnew.cer
The certificate should be in the local computers personal store.
- Open up the MMC by selecting Start > Run.
- Type MMC.
- Go to file, click on add/remove snap-in
- Add the certificate snap in for the local computer.
- Select the personal store and you should see the certificate.
Reboot the Domain Controller.
Once the domain controller is back up and running, export the CA certificate.
- Log in to the Certificate Server and select Download a CA certificate
- Select the CA certificate to download, then click Download CA Certificate
- Save the certificate to the Windows 2003 server.
Import the CA Certificate into the Trusted Server CA on the PCS.
- From the PCS WebUI, select Configuration > Certificates > Trusted Server CAs
- Insert the path to the .cer file, then click Import Certificate
- The new CA certificate will display in the list of Trusted Server CAs
From the WebUI, select Auth. Servers to change the LDAP server connection type to LDAPS and the Access port to 636. Save changes. LDAPS should now be working.