How to create and install a self-signed certificate on a Windows 2016 Active Directory server to enable LDAPS

Rate this Article
Average: 3.2 (5 votes)

January 4, 2021

Last modified: 04/03/2024, 10:04 am

Knowledge Base Article Tutorial Security HP Anyware Management Console

NOTE:  Self-signed certificates are not inherently secure and should not be used in production environments. Please consult your security infrastructure and security policies before installing a self-signed certificate. This is an example of one method to carry out this procedure. It is recommended to consult with your system administrator or verify with your Active Directory documentation before proceeding. 

 

Steps to create a self signed certificate:

 

  1.  Launch Windows Powershell on the domain controller as an administrator.
  2. Generate a self-signed certificate by running the following command:

    $domain_name = $env:userdnsdomain;

    $dns_name = $env:computername + '.' + $domain_name;
    $date_now = Get-Date;
    $extended_date = $date_now.AddYears(3);

    $mycert=New-SelfSignedCertificate -DnsName $dns_name -CertStoreLocation cert:/LocalMachine/My -NotAfter $extended_date;The $mycert  object contains the generated self-signed certificate which is stored on your system certificate store in the -CertStoreLocation location.

 

Steps to Install the Self Signed Certificate to your Active Directory Server which enables LDAPS:

 

NOTE: This is an example of one method to carry out this procedure. It is recommended to consult with your system administrator or verify with your Active Directory documentation before proceeding. Please consult Microsoft documentation for specific requirements around certificates. Please consult HP Anyware documentation for information on what is supported by HP Anyware products.

  1.  Launch Windows Powershell on the domain controller as an administrator.
  2.  Run the following command to install your certificate and configure LDAPS:

$thumbprint=($mycert.Thumbprint | Out-String).Trim();$certStoreLoc='HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates';
if (!(Test-Path $certStoreLoc)){New-Item $certStoreLoc -Force;};
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc;
NOTE: The default Active Directory Service instance is NTDS. If your service instance is not the default service, you need to change NTDS to the service instance name.