This guide allows you to configure a subject alternative name (SAN) certificate for use with LDAPS (LDAP over SSL)

Download and install the latest stable OpenSSL windows executable from 

Create config file

Create or reuse req.conf file as per below with SAN names (do not include lines at top and bottom)



distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no


C = <country initals>

ST = <state or county>

L = <city>

O = <company name>

OU = <company name>

CN = <fqdn of domain>


keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names


DNS.1 = servername01.internaldomain.externaldomainname

DNS.2 = servername02.internaldomain.externaldomainname

DNS.3 = servername03.internaldomain.externaldomainname

DNS.4 = servername04.internaldomain.externaldomainname


Generate CSR and Private Key

Run cmd as administrator

cd "C:\Program Files\OpenSSL-Win64\bin"

openssl req -new -out ldaps.csr -newkey rsa:2048 -nodes -sha256 -keyout ldaps.key.temp -config C:\TEMP\req.conf

This creates the CSR, private key from the req.conf file created above

Verify CSR

openssl req -noout -text -in ldaps.csr

Verify the CSR information is correct

Verify Private Key

openssl rsa -in ldaps.key.temp -check

This will verify the private key, it should return an OK

Use CSR on certificate authority to create a certificate file

Use CSR on third party certificate authority (GoDaddy/Digicert etc) with a Multiple Domain (UCC) SSL certificate or wildcard certificate that supports subdomains

Verify domain via DNS or email (DNS is creation of a TXT record in external domain name), download certificate file (.crt) and intermediate file

Combine CRT and Private Key into PFX file

openssl pkcs12 -export -in C:\TEMP\shfghdsgfh32356.crt -inkey ldaps.key.temp -out ldaps.pfx

Create an export password

Install on Domain Controllers that LDAPS will be used on

Install intermediate on each Windows Domain Controller that LDAPS is to be used on via MMC

Run > MMC > Add or Remove Snap In > Certificates > Computer Account

Install PFX in Personal > Certificates Folder (Verify private key is with certificate (Private key should not be exportable)

Verify Port 636

Verify that port 636 which is used for LDAPS communication is in a listening state

netstat -ano | findstr ":636"

Should return  

TCP               LISTENING

Now you should be able to connect securely to active directory via LDAPS using port 636