This guide allows you to configure a subject alternative name (SAN) certificate for use with LDAPS (LDAP over SSL)
Download and install the latest stable OpenSSL windows executable from https://slproweb.com/products/Win32OpenSSL.html
Create config file
Create or reuse req.conf file as per below with SAN names (do not include lines at top and bottom)
--------------------------------------
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = <country initals>
ST = <state or county>
L = <city>
O = <company name>
OU = <company name>
CN = <fqdn of domain>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = servername01.internaldomain.externaldomainname
DNS.2 = servername02.internaldomain.externaldomainname
DNS.3 = servername03.internaldomain.externaldomainname
DNS.4 = servername04.internaldomain.externaldomainname
--------------------------------------
Generate CSR and Private Key
Run cmd as administrator
cd "C:\Program Files\OpenSSL-Win64\bin"
openssl req -new -out ldaps.csr -newkey rsa:2048 -nodes -sha256 -keyout ldaps.key.temp -config C:\TEMP\req.conf
This creates the CSR, private key from the req.conf file created above
Verify CSR
openssl req -noout -text -in ldaps.csr
Verify the CSR information is correct
Verify Private Key
openssl rsa -in ldaps.key.temp -check
This will verify the private key, it should return an OK
Use CSR on certificate authority to create a certificate file
Use CSR on third party certificate authority (GoDaddy/Digicert etc) with a Multiple Domain (UCC) SSL certificate or wildcard certificate that supports subdomains
Verify domain via DNS or email (DNS is creation of a TXT record in external domain name), download certificate file (.crt) and intermediate file
Combine CRT and Private Key into PFX file
openssl pkcs12 -export -in C:\TEMP\shfghdsgfh32356.crt -inkey ldaps.key.temp -out ldaps.pfx
Create an export password
Install on Domain Controllers that LDAPS will be used on
Install intermediate on each Windows Domain Controller that LDAPS is to be used on via MMC
Run > MMC > Add or Remove Snap In > Certificates > Computer Account
Install PFX in Personal > Certificates Folder (Verify private key is with certificate (Private key should not be exportable)
Verify Port 636
Verify that port 636 which is used for LDAPS communication is in a listening state
netstat -ano | findstr ":636"
Should return
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
Now you should be able to connect securely to active directory via LDAPS using port 636