Windows Server

Generate a self-signed SSL certificate: How to enable LDAP over SSL with a self-signed certificate

Configure-AD-LDAPs

SSL stands for Secure Sockets Layer; this is a standard secure layer for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two endpoints. This security layer prevents criminals from having access to confidential and private contents that are moved across the internet and helps guide against reading and modifying any information transferred. Many people do find it difficult to get a signed SSL certificate for a local IP address unlike when you want to purchase an SSL certificate for your registered domain which is pretty easier. This guide will show you how you can easily generate a self-signed SSL certificate for your IP address or localhost. For guides on resolving some windows issues please check these: How to fix the issue “The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license” and How to fix the issue “The Security Database on the Server does not have a Computer Account for this Workstation Trust Relationship” on Windows Server [Part 2], and How to Quickly Fix Windows Search Bar Not Working.

In this guide, we will be using LDP which is a network protocol to connect to the domain controller with an SSL connection. First on our remote server which also serves as the remote system let's install the Active Directory Lightweight Directory Services under the server manager server roles. Want to learn more about LDAP, please take a look at this guide: What is Lightweight Directory Access Protocol.

This is required to be able to launch the LDP and connect to the domain controller via an SSL connection.

image-50
Selecting Server Roles

Add all the features required for the Active Directory Lightweight Directory Services.

image-13
Adding features to AD LDS

After adding the roles complete the installation with the AD LDS installation.

image-14
Installing AD LDS

Now try launching the Ldp via the command prompt by typing ldp and tap the enter key. The Ldp page will be displayed, go ahead and enter the server IP and check SSL and click OK.

image-55
Launching the Ldp

If there is an SSL certificate implemented already the LDP will connect successfully to the domain controller. If the SSL is not implemented yet then you will get the below result. Please refer to this guide for more information on this issue “Cannot open connection via the ldp.exe tool: How to fix LDAP connection error 81“.

image-16
Failed Connection

Let’s correct this error by installing Active Directory Certificate Services via the server manager server roles.

image-17
Selecting Server Roles

You can install the Certificate Authority, Certificate Enrollment Policy Web Service, or Certificate Enrollment Web Service. But our concentration is on the first one CA.

image-18
Selecting role services

After the installation makes sure you complete the configuration of the Active Directory Certificate Services.

image-51
Configuring Active Directory Certificate Services.

Select all the necessary role services that are needed

image-20
Selecting Role Services to configure

Specify Enterprise CA as the setup type of the CA

image-21
Specifying the setup type of the CA

Specify Root CA as the type of the CA

image-22
Specifying the type of the CA

Make sure you check the Allow administrator. Checkbox and stay with SHA256 and 2048 as the key length.

image-23
Specifying the Cryptographic options

After completing the configuration, you can restart your computer. After your system boot back, go to the administrative tools

image-24
Administrative Tools

Open Certification Authority

image-25
Certification Authority

Right-click the Certificate Templates and select Manage.

image-26
Certification Authority

Right-click the Domain Controller and click on Duplicate Template

image-27
Domain Controller Duplicate Template

Select the General tab and insert your Template display name, Template name, the Validity period.

image-28
Setting up of Template

On the Request Handling tab, check the Allow private key to be exported check box.

image-29
Setting up of Template

On the Subject Name tab select the Supply in the request option and click OK

image-30
Setting up of New Template Properties

Click Apply and OK
– Close the Properties of New Template
– On the Certificate Authority right-click the Certificate Templates and select New > Certificate Template to Issue

image-31
Issuing New Certificate Template

Search for the template that you initially added. We created “IP_SSL”

image-32
Enabling Certificate Template

Next open Microsoft Management Console using mmc.exe via Run
– Open the Add/Remove Snap-in

image-33
Computer Management

Open Certificates

image-34
Adding or Removing Snap-ins

Select Computer account

image-35
Certificates snap-in

Right-click and select All Tasks > Request New Certificate

image-36
Certificate Authority

We are going to select the certificate template that we have added “IP_SSL”. Click the “More information is………..” and configure

image-37
Certificate Enrollment

Select Common name as Type and enter your value in the form of IP. Your IP and DNS should carry the same value. Make sure you also add the FQDN to the DNS.

image-38
Certificate Properties

Click OK and Enroll

image-39
Certificate Enrollment

Its now time to export the certificate to the remote client machine and install
– Click on Export

image-40
Certificate Console

Select “Yes, export the private key”

image-41
Certificate Export Wizard

Enter the password for security purposes. This will later be used to install the certificate.

image-42
Certificate Export Wizard

Browse to where you want to save the certificate and give the certificate a name.
– Click finish and go ahead to copy the certificate file and install on the remote machine.
– Run the installation and select Local Machine

image-43
Certificate Import Wizard

Enter the password we created earlier.

image-44
Certificate Import Wizard

Make sure you place the certificate in Personal and Trusted Root Certification Authorities. Which means you will repeat the procedure twice.

image-45
Certificate Import Wizard

Now test the Ldp connection again

image-55

Now, you should be able to connect now.

image-54
Connection Successful

I hope you found this blog post on How to generate a self-signed SSL certificate for an IP address very interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x