|
Thanks Guy. That is a really helpful blog.
After a little fuss I was able to get the cert to recognize and honor the
Subject Alternative Name using your steps. Do you know if these same steps
will work against a third party CA? In any case I plan on trying it out on
a third party CA tomorrow. I'll let you know how it
goes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, May 09, 2005 8:56 PM To: [email protected] Subject: RE: [ActiveDir] LDAPS question It turned out to be a
bit more complicated than I thought… I made some notes over
here: http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html I have not yet verified
that LDAPS works with aliases when querying, but the cert installs fine and in
theory has all the requirements… If you want to automate
the process, you will probably want to tweak reqdccert.vbs to generate valid
“Subject” in the [NewRequest] section. At least should give
you a direction. Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Isenhour,
Joseph Thanks
Guy, I've spent about
12hours trying to write a script that will include the Subject Alternative Name
in the CSR. I found the ICEnroll COM interface on MSDN and am using it to
generate my request. The request works fine; however, the Subject
Alternative Name never seems to take when I request the cert.
Here's what I added to
my script: Call
Request.addExtensionToRequest(True, "2.5.29.17",
"ldap.company.net") The call goes through
without generating an error; however, it doesn't seem to
take. Has anyone out there
successfully created a CSR using this extension? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of You will need to issue
new certificates to the DCs with the ldap.company.net in the Subject Alternative
Name section. The certificate requirements for DCs are specified in the
following KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010 Though it is about
3rd part CAs, the requirements still apply even if you are using MS
CA. The key point is that the certificate can not be issued to an alias
(ldap.company.com) in the Subject field – the alias should be part of the
Alternative Name together with DCs GUID. Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Isenhour,
Joseph We
currently provide LDAPS to our customers. Right now the certificates that
we load on our DC uses the DC name and the clients connect using that
name. We'd like to set up a DNS alias like: ldap.company.net. I
tried generating a cert named ldap.company.net and loaded it on a DC; however,
the clients were unable to connect. Does anyone know if MS has a
restriction that will not allow a cert to be loaded for LDAPS if the name on the
cert is not the same as the DC? Thanks
|
Title: LDAPS question
- RE: [ActiveDir] LDAPS question Isenhour, Joseph
- RE: [ActiveDir] LDAPS question Guy Teverovsky
- RE: [ActiveDir] LDAPS question Isenhour, Joseph
- RE: [ActiveDir] LDAPS question Isenhour, Joseph
- RE: [ActiveDir] LDAPS question Guy Teverovsky
