Re: External CA / LDAPS

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Sep 2006 13:49:11 -0500

I think there are a few kbase articles that show how to configure things.
Since you'll be procuring the certs yourself and not using MS CA, from the
DC standpoint, you are really just procuring them correctly and installing
them. The main thing is that the DNS name on the cert must match the DNS
name of the DC. Apps must then use the DNS name of the server.

It is important to make sure the trust chain is configured correctly, so you
need all the intermediate and trusted root certs installed in the right
containers as well. If you get your certs from a well known Windows trusted
root, this should be easy.

The other things you need to watch out for when you have external certs is
that they expire and will not get renewed automatically. Our organization
has MOM monitoring this and sends an alert when we are down to 1 month.

I also wrote a tool in .NET 2.0 that can examine all your DCs and tell you
when the certs are expiring. It is just a sample, but it might be helpful:

http://www.joekaplan.net/Example1ForSDSPSSLCertificates.aspx

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Geoff" <nigeltufnel123@xxxxxxxxx> wrote in message
news:eI4U19$1GHA.2176@xxxxxxxxxxxxxxxxxxxxxxx

Can someone point me to a good document for configuring a External CA (ie:
VeriSign, etc...) to provide LDAP over SSL (LDAPS) with AD (2003 native
forest and domain)

Thanks !

Follow-Ups:
- Re: External CA / LDAPS
  - From: Geoff
- Re: External CA / LDAPS
  - From: Geoff

References:
- External CA / LDAPS
  - From: Geoff

Prev by Date: Re: which adprep utility to use?
Next by Date: Computer Accounts do not appear converted completely after NT 4 upgrade to 2000 AD
Previous by thread: External CA / LDAPS
Next by thread: Re: External CA / LDAPS
Index(es):
- Date
- Thread

Relevant Pages

Re: External CA / LDAPS
... Joe Kaplan wrote: ... Since you'll be procuring the certs yourself and not using MS CA, from the DC standpoint, you are really just procuring them correctly and installing them. ... The main thing is that the DNS name on the cert must match the DNS name of the DC. ...
(microsoft.public.windows.server.active_directory)
Re: External CA / LDAPS
... Joe Kaplan wrote: ... Since you'll be procuring the certs yourself and not using MS CA, from the DC standpoint, you are really just procuring them correctly and installing them. ... The main thing is that the DNS name on the cert must match the DNS name of the DC. ...
(microsoft.public.windows.server.active_directory)
Re: ADFS Proxy Cert issue
... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I need an SSL cert on the FSP ... easiest way to create these certs. ...
(microsoft.public.windows.server.active_directory)
Re: MCSE/MCSA book recommendation?
... The books and training kits give you the ... >> updates are available in a Windows Server 2003 Primary DNS ... >> zone, not configured as a Active Directory Integrated ... Why forget MRS. Certs? ...
(microsoft.public.cert.exam.mcse)
installing multiple certificates on one web server
... You will need two certs in ... the CTL is DNS dependent. ... >So that if you have an internal DNS name for an IIS web ...
(microsoft.public.inetserver.iis.security)