Campus Active Directory - Install Server Certificate for Domain Controllers

By default, Active Directory LDAP traffic is transmitted unsecured. Clear and unsigned LDAP traffic is susceptible to sniffing and replay attacks. LDAP traffic can be secured using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. LDAP over SSL (LDAPS)is enabled by installing a properly formatted server certificate.

The InCommon/Comodo server certificates requested from OCIS are trusted by most operating systems natively without requiring the installation of additional root certificates.

Information about the OCIS Server Certificate request process

Server Certificate Request Information


Before begining, verify that Active Directory Certificate Services are not installed on any of the domain controllers. If a third-party certificate is required for LDAP SSL connections, then it is important that the Microsoft Enterprise Certificate Authority not be installed on the LDAP server; this sets the Enterprise CA certificate as the default certificate for SSL validation. How to decommision a Windows Ent. CA:

Submit certificate request to the Office of Campus Information Security

- On the target server, create the "request.inf" file by opening Notepad and copying the example below. Be sure to edit the "Subject" line so that "" matches the fully qualified domain name of the target server.

Example "request.inf"

;----------------- request.inf -----------------

Signature="$Windows NT$"

;Change to your,country code, company name and common name
Subject = "C=US, O=University of Wisconsin-Madison," 

KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

OID= ; this is for Server Authentication / Token Signing

- Save the "request.inf" file to the root of "C:\".

- Open an elevated command prompt and change directory to "C:\".

- Run the following command:"

C:\ > certreq -new request.inf request.csr

- Open a browser and navigate to the UW Server Certificate Service page Server Certificate Request

- In the UW Server Certificate Service enter your contact information

- Select "Other" from the "Server Type" drop-down menu and enter "LDAPS for AD Domain Controller" in the text box that appears below

- Select "Multiple Domain/Wildcard" for "Certificate Type"

- "Term" can only be set to 1 Year

- Copy the contents of the "request.csr" file that was created earlier

- Enter "LDAPS for AD Domain Controller <>

- Check the box for "I am responsible for running a service which uses this fully qualified domain name..." at the bottom of the form and click "Submit"


Be careful to close out this page each time before using the above link again to request additional certificates otherwise it refreshes creating a duplicate request!

- After submitting the request a confirmation email will be sent to the contact provided in the request from OCIS

- An enrollment email will be sent from Comodo Certificate Services Manager ( with links to download the certificate in different formats

- Click the link for "PKCS#7" to download the machine certificate, intermedia, and root certificates

Available formats:
      as PKCS#7:
(* Cryptographic Message Syntax Standard (PKCS #7) .p7b        The PKCS #7 format supports storage of certificates and all certificates in the certification path.  Does not include private key.)

- Upload the certificate file that was downloaded to the root of "C:\" on the target server

Install the Certificate

- Open an elevated command prompt and change directory to "C:\".

- Run the following command:

C:\ > certreq -accept <yourservername_wisc_edu>.crt

- Installation of the server certificate will enable LDAP over SSL which can be verified with the following steps:

More detailed steps can be found here:

Additional Steps for Domain Controllers that require the certificate in multiple locations (2012 and later)

If there are multiple valid certificates available in the local computer store, Schannel the Microsoft SSL provider, selects the first valid certificate that it finds store. The LDAP bind may fail if Schannel selects the wrong certificate.

Loading the requested server certificate into the NTDS/Personal certificate store will ensure that the correct server certificate is used for LDAPS


  • Automatic certificate enrollment (auto-enrollment) cannot be utilized to populate NTDS\Personal certificate store
  • Command line tools are not able to manage certificates in the NTDS\Personal certificate store
  • Certificates should be imported into the NTDS\Personal store and not moved through drag-and-drop in the Certificates snap-in
  • The import process must be conducted on each domain controller
LDAP over SSL (LDAPS) Certificate (MS TechNet)

Enable LDAP over SSL with a third-party certification authority

When exporting the certificate:

Publish the Comodo root certificate (AddTrustedExternalCaRoot.crt) to the NTAuthCA certificate store

Enable LDAP Interface Events Debugging

The domain controller will log Event ID 2887 each every 24 hours that will provide a summery of clients that used clear or unsigned binds. Enabling debugging for LDAP Interface Events will log an Event ID 2889 each time a client uses a clear or unsigned bind to the domain controller.

Event ID 2889 LDAP signing
Event ID 2888 LDAP signing

To enable diagnostic logging for LDAP Interface Events:

To disable the diagnostic logging for LDAP Interface Events: