How to generate a certificate signing request (CSR) file for LDAP over SSL for Windows Server?
Problem Description :
Annual generation of certificate for secured LDAP authentication
Resolution :
Resolution
To generate a certificate signing request (CSR) file for LDAP over SSL for Windows Server 20XX, perform the following steps:
1. Create an request.inf file using NotePad or a plain text editor.
Note: The information inputted into this file will be used to generate your certificate information (Any specific changes should be done here)
Here is an example of .inf file that can be used to generate a certificate request:
----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=FQDN, OU=Organizational Unit, O=Organization name, L=City, S=State, C=Country" (FQDN = Fully Qualified Domain Name)
KeySpec = 1KeyLength = 1024; Can be 1024, 2048, 4096, 8192, or 16384; Larger key sizes are more secure, but have; a greater impact on performance.Exportable = TRUEMachineKeySet = TRUESMIME = FalsePrivateKeyArchive = FALSEUserProtected = FALSEUseExistingKeySet = FALSEProviderName = "Microsoft RSA SChannel Cryptographic Provider"ProviderType = 12RequestType = PKCS10KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------
2. Create the certificate request using the command prompt: certreq -new request.inf request20XX.req
This will output a new filename request.req.
For installation instructions, refer to SO5187 <index?page=content&id=SO5187>
For more information about LDAP refer to Microsoft knowledge article: 321051 <http://support.microsoft.com/kb/321051/en-u>
3. Our primary gordonstate.edu cert provider is Comodo. However, to obtain a cert for dc-gsc1.gdn.peachnet.edu the CSR must be submitted to the GeoTrust TrueFlex Enterprise Security Center portal account. Your account has to be setup by USG ITS with approval from the IT Director of the school. USG "owns" the peachnet.edu domain which is our AD domain name (gdn.peachnet.edu). Go to https://enterprise-security-center.geotrust.com/vcce/enterprise/console_login?application_locale=GEOTRUST_US
Below are the steps from USG to complete certificate request through GeoTrust...
1. Create your Certificate Signing Request (CSR). You will copy and paste your CSR information later into the portal. Below is important information that needs to be included in your CSR.
—Country Name (C): US
—State or Province (S): Georgia (spell out the state completely; do not abbreviate)
—Locality or City (L): Athens (you can use Athens or your institution’s city)
—Organization (O): Board of Regents of the University System of Georgia (organization must match exactly; including case
—Organizational Unit (OU): List your institution name as the OU
—Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.my.service.edu” or “my.service.edu”.
2. Login to the GeoTrust TrueFlex Enterprise Security Center portal (https://enterprise-security-center.geotrust.com/vcce/enterprise/console_login?application_locale=GEOTRUST_US)
3. Click Get a certificate
—Select OV SSL
—Select Validity Period 1 year
—Click Continue
4. Enter certificate information
—Select Server type
—Find, copy and then paste your CSR into the box
—If needed, check Include subject alternative names (SANs) with this certificate box; Add SANs
—Click Continue
5. Review Order Summary
—Edit Technical Contact. This ensures that the subscriber receives expiration notices.
—Check I accept the terms of this agreement box
—Click Submit
6. Check your email for confirmations to complete the ordering process. Email subjects should be as follows:
—GeoTrust TrueFlex Enterprise Security Center - Certificate Request Confirmation
—Your GeoTrust TrueFlex SSL Certificate Is Ready
Revision Date : 6/26/2017