RSS

How to add a Subject Alternative Name to a secure LDAP certificate

18 Jan
Summary:
This article describes how to add a Subject Alternative Name (SAN) to a secure Lightweight Directory Access Protocol (LDAP) certificate. The LDAP certificate is submitted to a certification authority (CA) that is configured on a Microsoft Windows Server 2003-based computer. The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name. This article includes information about how to add SAN attributes to a certification request that is submitted to an enterprise CA, a stand-alone CA, or a third-party CA.

INTRODUCTION 

This article describes how to add a SAN attribute to a secure LDAP certificate….

This article describes how to add a SAN attribute to a secure LDAP certificate. This article also discusses how to do the following: 

  • Configure a CA to accept a SAN attribute from a certificate request.
  • Create and submit a certificate request to an enterprise CA.
  • Create and submit a certificate request to a stand-alone CA.
  • Create a certificate request by using the Certreq.exe tool.
  • Create and submit a certificate request to a third-party CA.

MORE INFORMATION 

How to configure a CA to accept a SAN attribute from a certificate request By d…

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

How to create and submit a certificate request

When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the Active Directory directory service. The Version 1 Web Server template can be used to request a certificate that will support LDAP over the Secure Sockets Layer (SSL). Version 2 templates can be configured to retrieve the SAN either from the certificate request or from Active Directory. To issue certificates that are based on Version 2 templates, the enterprise CA must be running on a Windows Server 2003, Enterprise Edition-based computer.

When you submit a request to a stand-alone CA, certificate templates are not used. Therefore, the SAN must always be included in the certificate request. SAN attributes can be added to a request that is created by using the Certreq.exe program. Or, SAN attributes can be included in requests that are submitted by using the Web enrollment pages.

How to use Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer.
  2. In Internet Explorer, connect to http://servername/certsrv.Note servername is the name of the Web server that is running Windows Server 2003 and that has the CA that you want to access.
  3. Click Request a Certificate.
  4. Click Advanced certificate request.
  5. Click Create and submit a request to this CA.
  6. In the Certificate Template list, click Web Server.Note The CA must be configured to issue Web Server certificates. You may have to add the Web Server template to the Certificate Templates folder in the Certification Authority snap-in if the CA is not already configured to issue Web Server certificates.
  7. Provide identifying information as required.
  8. In the Name box, type the fully qualified domain name of the domain controller.
  9. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store
  10. Under Advanced Options, set the request format to CMC.
  11. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]

    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes. The resulting attribute string appears as follows:

    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
  12. Click Submit.
  13. If you see the Certificate Issued Web page, click Install this Certificate.

How to use Web enrollment pages to submit a certificate request to a stand-alone CA

To submit a certificate request that includes a SAN to a stand-alone CA, follow these steps:

  1. Open Internet Explorer.
  2. In Internet Explorer, connect to http://servername/certsrv.Note servername is the name of the Web server that is running Windows Server 2003 and that has the CA that you want to access.
  3. Click Request a Certificate.
  4. Click Advanced certificate request.
  5. Click Create and submit a request to this CA.
  6. Provide identifying information as required.
  7. In the Name box, type the fully qualified domain name of the domain controller.
  8. In the Type of Certificate Needed Server list, click Server Authentication Certificate.
  9. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store
  10. Under Advanced Options, set the request format as CMC.
  11. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]

    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes. The resulting attribute string appears as follows:

    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
  12. Click Submit.
  13. If the CA is not configured to issue certificates automatically, a Certificate Pending Web page appears and requests that you wait for an administrator to issue the certificate that was requested.To retrieve a certificate that an administrator has issued, connect to http://servername/certsrv, and then click Check on a Pending Certificate. Click the requested certificate, and then click Next.If the certificate has been issued, the Certificate Issued Web page appears. Click Install this Certificate to install the certificate.

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

To use the Certreq.exe utility to create and submit a certificate request, follow these steps:

  1. Create an .inf file that specifies the settings for the certificate request. You can use the following sample code to create an .inf file.
    [Version] 
    
    Signature="$Windows NT$ 
    
    [NewRequest]
    Subject = "CN=corpdc1.fabrikam.com" ; must be the FQDN of domain controller
    EncipherOnly = FALSE
    Exportable = FALSE  ; TRUE = Private key is exportable
    KeyLength = 1024    ; Common key sizes: 512, 1024, 2048,
    			  ;    4096, 8192, 16384
    KeySpec = 1             ; Key Exchange
    KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = CMC
    
    ; Omit entire section if CA is an enterprise CA
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
    
    [RequestAttributes]
    CertificateTemplate = WebServer ;Omit  line if CA is a stand-alone CA
    SAN="dns=corpdc1.fabrikam.com&dns=.fabrikam.com&dns=ldap.fabrikam.com"
  2. Save the file as Request.inf.
  3. Open a command prompt.
  4. At the command prompt, type the following command, and then press ENTER:
    certreq -new request.inf certnew.req

    This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

  5. At the command prompt, type the following command, and then press ENTER:
    certreq -submit certnew.req certnew.cer

    This command submits the certificate request to the CA. If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

    The -config switch uses the following format to refer to a specific CA:

    computername\Certification Authority Name

    For example, assume that the CA name is Corporate Policy CA1 and that the domain name is corpca1.fabrikam.com. To use the certreq command together with the –config switch to specify this CA, type the following command:

    certreq -submit -config “corpca1.fabrikam.com\Corporate Policy CA1” certnew.req certnew.cer

    If this CA is an enterprise CA and if the user who submits the certificate request has Read and Enroll permissions for the template, the request is submitted. The issued certificate is saved in the Certnew.cer file. If the CA is a stand-alone CA, the certificate request will be in a pending state until it is approved by the CA administrator. The output from the certreq -submit command contains the Request ID number of the submitted request. As soon as the certificate has been approved, it can be retrieved by using the Request ID number.

  6. Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:
    certreq -retrieve RequestID certnew.cer

    You can also use the -config switch here to retrieve the certificate request from a specific CA. If the -config switch is not used, you are prompted to select the CA from which to retrieve the certificate.

  7. At the command prompt, type the following command, and then press ENTER:
    certreq -accept certnew.cer

    After you retrieve the certificate, you must install it. This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in step 4.

How to submit a certificate request to a third-party CA

If you want to submit a certificate request to a third-party CA, first use the Certreq.exe tool to create the certificate request file. You can then submit the request to the third-party CA by using whatever method is appropriate for that vendor. The third-party must be able to process certificate requests in the CMC format.

Note Most vendors refer to the certificate request as a Certificate Signing Request (CSR).

REFERENCES 

For more information about how to enable LDAP over SSL together with a third-pa…

For more information about how to enable LDAP over SSL together with a third-party certification authority, click the following article number to view the article in the Microsoft Knowledge Base:

321051 (http://support.microsoft.com/kb/321051/ ) How to enable LDAP over SSL with a third-party certification authority
Advertisements
 
2 Comments

Posted by on January 18, 2011 in Active Directory, Certificate Server

 

2 responses to “How to add a Subject Alternative Name to a secure LDAP certificate

  1. Bonaguida,Li

    January 30, 2013 at 12:45 am

    I wanted to send you one very small remark to help say thank you again
    for your personal splendid tips you have provided on this website.
    This has been shockingly open-handed of people like you to convey unhampered precisely what
    many individuals might have offered for sale as an electronic book to
    help make some profit on their own, even more so given that you might have done it in the event you desired.
    These basics in addition served like the easy way to fully grasp that some people have similar desire much like my
    own to understand much more with regards to this problem.
    I am certain there are several more pleasant periods ahead for people who scan
    through your website.

     
  2. Vilma

    May 15, 2013 at 8:08 pm

    Highly descriptive post, I enjoyed that bit. Will
    there be a part 2?

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: