Subject: Generate certificate and CA root by makecert.exe
Author: eLDAP
In response to: How to enable SSL on an ADLDS instance running on Windows 7
Posted on: 11/10/2012 07:36:51 PM
Step 1: Download Windows SDK for Windows 7
Here is the link: http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx
With the SDK installed, go to Start -> All Programs -> Microsoft Windows SDK v7.1 -> Windows SDK v7.1 Command Prompt. This will open up a command prompt with all of the necessary path variables set. For x64 machine, go to folder: C:\Program Files\Microsoft SDKs\Windows\v7.1\bin\x64
Step 2: Generate a CA root certificate
makecert -pe -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine
-a sha1 -sky signature -r "c:\tmp\Test and Dev Root Authority.cer"
This will create a root authority certificate, which you can use to sign new certificates
Step 3: Generate a CA-issued/signed certificate
makecert -pe -n "CN=ADLDS-TEST-MACHINE" -ss my -sr LocalMachine -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY
-ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider"
-sy 12 "c:\tmp\Test and Dev SSL.cer"
Note:
The above private keys of certificates are stored under directory C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
The public certificates are exported and stored in above xxx.cer files (having no private key inside).
You must log in as administrator to run makecert.exe, otherwise, saving the secret key into store is going to fail.
Now, both of these certificates including private keys have been created and installed to the local machine's certificate store. You can confirm this by checking
mmc ->
Certificates (Local Computer) ->
Personal ->
Certificates, you should see both certificates there.
That's it. You now have a sever certificate that can be used for SSL with a trusted root authority.
>
> On 11/10/2012 07:30:47 PM
eLDAP wrote:
Why does the damn SSL matter? It is required by ADLDS/ADAM for certain scenarios, for example, when you want to change the password over LDAP, like using Ldp.exe or Ldifde.exe.
First of all, you need a server certificate for ADLDS to run on SSL port. By saying that, the certificate must be marked for Server Authentication in the Intended Purposes.
There are basically two types of certificate: self-signed certificate and CA-issued certificate. There are various utility tools to generate a certificate like selssl.exe or certreq.exe but all of them require a lot of server resource like IIS, Domain Controller, or CA Authority. For a stand alone ADLDS instance running on an isolated computer, you can get certificate and CA all done by makecert.exe.
Note: The SSL requirement can be relaxed though by following the link: How to disable SSL secure connection requirement for password operation
References:
