Campus Active Directory - Install Server Certificate for Domain Controllers

By default, Active Directory LDAP traffic is transmitted unsecured. Clear and unsigned LDAP traffic is susceptible to sniffing and replay attacks. LDAP traffic can be secured using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. LDAP over SSL (LDAPS)is enabled by installing a properly formatted server certificate.

The InCommon/Comodo server certificates requested from OCIS are trusted by most operating systems natively without requiring the installation of additional root certificates.

Information about the OCIS Server Certificate request process

Server Certificate Request Information


Before begining, verify that Active Directory Certificate Services are not installed on any of the domain controllers. If a third-party certificate is required for LDAP SSL connections, then it is important that the Microsoft Enterprise Certificate Authority not be installed on the LDAP server; this sets the Enterprise CA certificate as the default certificate for SSL validation. How to decommision a Windows Ent. CA:

Submit certificate request to the Office of Campus Information Security

- On the target server, create the "request.inf" file by opening Notepad and copying the example below. Be sure to edit the "Subject" line so that "" matches the fully qualified domain name of the target server.

Example "request.inf"
;----------------- request.inf -----------------

Signature="$Windows NT$"

;Change to your,country code, company name and common name
Subject = "C=US, O=University of Wisconsin-Madison," 

KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

OID= ; this is for Server Authentication / Token Signing

- Save the "request.inf" file to the root of "C:\".

- Open an elevated command prompt and change directory to "C:\".

- Run the following command:"

C:\ > certreq -new request.inf request.csr

- Open a browser and navigate to the OCIS Server Certificate Request page Server Certificate Request

- In the OCIS Server Certificate Request enter your contact information

- Select "a first time request for the certificate" or "a request to renew a certificate that is nearing expiration" if an existing certificate is being replaced

- Select "Other" from the "Web Server Type" drop-down menu and enter "LDAPS for AD Domain Controller" in the text box that appears below

- Leave "Certificate Type" and "Validity Period" as the default "Single Domain" and "3 Years"

- Copy the contents of the "request.csr" file that was created earlier

- Enter "LDAPS for AD Domain Controller <>

- Check the box for "I am responsible for running a service which uses this fully qualified domain name..." at the bottom of the form and click "Submit"


Be careful to close out this page each time before using the above link again to request additional certificates otherwise it refreshes creating a duplicate request!

- After submitting the request a confirmation email will be sent to the contact provided in the request from OCIS

- An enrollment email will be sent from Comodo Certificate Services Manager ( with links to download the certificate in different formats

- Click the link for "PKCS#7 Base64 encoded" to download the certificate

Other available formats:
      as PKCS#7 Base64 encoded:

(* Cryptographic Message Syntax Standard (PKCS #7) .p7b        The PKCS #7 format supports storage of certificates and all certificates in the certification path.  Does not include private key.)
When downloaded the file ends with .crt however if you open it you will notice that the certificate contains "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements.

- Upload the certificate file that was downloaded to the root of "C:\" on the target server

Install the Certificate

- Open an elevated command prompt and change directory to "C:\".

- Run the following command:

C:\ > certreq -accept <yourservername_wisc_edu>.crt

- Installation of the server certificate will enable LDAP over SSL which can be verified with the following steps:

  • Start the Active Directory Administration Tool (Ldp.exe)
  • On the Connection menu, click Connect
  • Type the name of the domain controller to which you want to connect
  • Type 636 as the port number
  • Click OK

More detailed steps can be found here:

Additional Steps for Domain Controllers that require the certificate in multiple locations (2012 and later)

If there are multiple valid certificates available in the local computer store, Schannel the Microsoft SSL provider, selects the first valid certificate that it finds store. The LDAP bind may fail if Schannel selects the wrong certificate.

Loading the requested server certificate into the NTDS/Personal certificate store will ensure that the correct server certificate is used for LDAPS


  • Automatic certificate enrollment (auto-enrollment) cannot be utilized to populate NTDS\Personal certificate store
  • Command line tools are not able to manage certificates in the NTDS\Personal certificate store
  • Certificates should be imported into the NTDS\Personal store and not moved through drag-and-drop in the Certificates snap-in
  • The import process must be conducted on each domain controller
LDAP over SSL (LDAPS) Certificate (MS TechNet)

Enable LDAP over SSL with a third-party certification authority

When exporting the certificate:

  • When prompted, select "Yes, export the private key"
  • Select the "Personal Information Exchange - PKCS #12(.pfx)" format
  • Do not select "Include all certificates in the certificate path" or "Delete the private key if the export is successful"
  • Select "Export all extended properties"

Publish the Comodo root certificate (AddTrustedExternalCaRoot.crt) to the NTAuthCA certificate store

Enable LDAP Interface Events Debugging

The domain controller will log Event ID 2887 each every 24 hours that will provide a summery of clients that used clear or unsigned binds. Enabling debugging for LDAP Interface Events will log an Event ID 2889 each time a client uses a clear or unsigned bind to the domain controller.

Event ID 2889 — LDAP signing
Event ID 2888 — LDAP signing

To enable diagnostic logging for LDAP Interface Events:

  • Open an elevated command prompt
  • Enter the following command
    Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
  • When prompted to overwrite, type "Y" and press ENTER

To disable the diagnostic logging for LDAP Interface Events:

  • Open an elevated command prompt
  • Enter the following command
    Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0
  • When prompted to overwrite, type "Y" and press ENTER

Keywords:Campus active directory server certificate domain controller trust pki   Doc ID:34954
Owner:Marc T.Group:Identity and Access Management
Created:2013-10-31 09:25 CSTUpdated:2020-09-29 11:26 CST
Sites:Identity and Access Management
Feedback:  1   0