Windows: Creating a Domain Authentication certificate (Mini version)

Creating a Domain Authentication certificate.

Here are the steps in creating a server certificate to allow LDAPS communication from any server to a Domain controller.

1. Connect to the domain controller
2. create a file called request.ini
3. Copy and paste the information below:

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=servername.domainname.local” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; This is for Server Authentication

4. From a command line with administrator priviledges enter: certreq -new request.inf request.req
This will create your certificate request.
5. Goto your certificate server via it’s web interface: http://servername/certsrv
6. Click Request a certificate
7. Click advanced certificate request
8. Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal by using a base-64-encoded PKCS#7 file.”
9. Fill out the form as follows:

Request: text box copy and past the text that is inside the request.req file.

Certificate Template: Domain Controller Authentication

10. Click Submit

11. Download the Der and/or Base 64 encoded certificates

You are now ready to install the certificates into your server