Windows Certificate Services can create certificates for all devices in your organization. However, at times you may need just one certificate to install on a Domain Controller. In this blog, I am going to explain the process to install a Self Signed Certificate on a domain controller using an automated way. See the last blog for an automated way –https://www.signifium.com/2020/08/18/create-a-self-signed-certificate-on-windows-domain-controllers-manual
Automated process
Microsoft used to provide a tool to create self signed certificates, however today you can use powershell commands to do the same. In this process, I will explain how to create the certificate using powershell script to prepare your Active Directory for LDAPS or LDAP over SSL.
- Launch Powershell on the domain controllers as an administrator.
- Before you run the script below you need to know following information
- certname – This will be the name of the certificate. Use the same name as your domain controller name. In my example I have used “dc1.signifium.com”
- cert_years_toexpire – Use an integer like 1, 2 or 3 to set the life of your certificate.
- Copy the following script to your domain controller as Install-DC-Cert.ps1 Param (
- [parameter(Mandatory=$true)]
- [string]$certname,
- [parameter(Mandatory=$true)]
- [ValidateRange(0,3)]
- [string] $cert_years_toexpire
- )
- Write-Host “Starting Script … “
- $date_now = Get-Date
- $cert_expirydate = $date_now.AddYears($cert_years_toexpire)
- $certStoreLoc=’HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates’
- $servercert=New-SelfSignedCertificate -CertStoreLocation cert:/LocalMachine/My -DnsName $certname -NotAfter $cert_expirydate
- $thumbprint=($servercert.Thumbprint | Out-String).Trim();
- Write-Host “Certificate generated with thumbprint : $thumbprint”
- if (!(Test-Path $certStoreLoc)){
- New-Item $certStoreLoc -Force;
- };
- Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc;
- Write-Host “Certificate added to the personal store in local computer”
- Write-Host “Copying certificate to Trusted Root Certificate Authorities”
- $newcert = dir Cert:\LocalMachine\My | where {$_.Thumbprint -eq $thumbprint}
- $DestStoreScope = ‘LocalMachine’
- $DestStoreName = ‘root’
- $DestStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $DestStoreName, $DestStoreScope
- $DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
- $DestStore.Add($newcert)
- $DestStore.Close()
- Write-Host “Certificate added to Trusted Root Certificate Authorities”
- Write-Host “Script completed.”
- Run the script (Replace my names with your names)
.\ Install-DC-Cert.ps1 -certname signi-dc1.signifium.com -cert_years_toexpire 3
It is time to connect using the ADSignify App to verify if SSL is working. Enjoy the freedom to manage AD from anywhere.