Monday, November 19, 2012

Enabling LDAP SSL in Windows 2012 (Self-Signed Certificates)

As expected in the world of Microsoft Windows Server 2012 and Active Directory, the interface and methods of managing certain functions changed.  One thing in particular that I often have to do as a result of interfacing with AD through LDAP, is to enable a Certificate Authority role in the AD environment so that we can connect and manage objects through LDAP via SSL.

Although this is not any more complicated than in Windows Server 2008, it just appears differently due to managing everything through Server Administrator, the new built-in utility to manage all aspects of Windows Server 2012.  Fortunately, I took the time to capture screenshots and document the process of enabling a Certificate Authority on a DC, which I have outlined below.  Please note that in order for DCs to receive certificates, they will most likely need to be rebooted.

1.  Log on to the server that you intend to add the CA role to (in my case this was a DC).
2.  Launch the Server Administrator tool (if it did not launch automatically) to get to the dashboard.

3.  In server administrator, select ADD ROLES AND FEATURES from the MANAGE Menu.  You will get prompted with a dialog box to confirm that you want to add roles through the wizard.  Click NEXT.

4.    You will be prompted to select the installation type, choose ROLE BASED OR FEATURE BASED INSTALLATION.  Click Next.

 5.  You will be prompted to select the server to install the role on.  Select the server in the selection list and then click NEXT.

 6.  Select the ROLE that you want to install.  In this case, select CERTIFICATE SERVICES and click NEXT.

7.  You will see a dialog box prompting you for additional features.  Click NEXT.

8.  Next, you will receive a notification that after installing Certificate Services, the domain and server cannot be modified.  Click NEXT.

9.  You will be prompted to select the specific Role Services within the Certificate Services role that you want to enable.  Leave CERTIFICATION AUTHORITY checked and click NEXT.

10.  Next you will be asked about restarting the server if it is required after install.  Make your selection and click NEXT.

11.  After clicking NEXT, the installation of the role will begin.

12.  Once the installation has finished, a new role block will appear in the server administrator dashboard.  Click NEXT to continue.

13.  After completing PART 1, you will be returned to a completion screen showing that the Certificate Services role has been installed successfully.  Click on CONFIGURE ACTIVE DIRECTORY CERTIFICATE SERVICES ON DESTINATION SERVER.

14.  Verify that you are using the proper credentials to configure the Certificate Services orle, if not change to the proper account.  Click NEXT.

15.  Again, select the specific function of Certificate Services to configure.  Leave Certification Authority selected and click NEXT.

16.  Specify the Setup Type for the Certification Authority - choose ENTERPRISE CA and click NEXT.

17.  Next, specify the Type of CA.  Select ROOT CA and click NEXT.

18.  Next, specify the private key to be created.  Select NEW PRIVATE KEY and click NEXT.

19.  Next, leave the cryptography as it is and click NEXT.

20.  Next, specify the Certificate Name.  I recommend leaving it as default, as it names it based on the domain and server name that you are installing the CA on.  Click NEXT.

21.  Specify the Validity Period.  The default is 5 years, I recommend 25 years to ensure that you will not have to recertify for quite a while.

22.  Next you will need to specify where to store the certification database.  Again, I recommend leaving the default settings, and click NEXT.

23.  Verify your configuration settings, and click CONFIGURE.

24.  The configuration will run (should only take a few seconds), and then a confirmation message indicating that the Certificate Services installation SUCCEEDED should appear.  Click CLOSE.

25.  You will be returned to the Roles and Features installation wizard.  Click CLOSE.

26.  Reboot the server in order for it to receive a certificate from the CA.
27.  Test connecting to the server via an LDAP Browser tool, such as Apache Directory Studio.  Connect using LDAPS and port 636.  If you can browse the tree, then the LDAP SSL installation was successful.