To use a certificate in Windows for IIS usage, you can select the certificate in IIS bindings. It is a bit different to use a certificate for LDAPS. There are two things to keep in mind:
- Windows will first use certificates in the NTDS store before using certificates in the Local Computer personal store.
- When there are multiple certificates, Windows will use the certificate whose expiry date is the farthest out.
Troubleshooting Tips
- Install Remote Administration Tools (RSAT) and use
ldp.exeto query/connect to your LDAP server. On Windows 11, you can install RSAT tools from Powershell. - Query LDAP server using ldap-utils with the following command:
ldapsearch -x -H 'ldaps://host.server.com' -D 'username' -W sAMAccountName=username -b "dc=host,dc=com" 'uid=user' -d1 - Use OpenSSL to query an LDAP server to view the certificate using the following command:
openssl s_client -connect host.server.com:636
Install certificate to NTDS certificate store
- Open mmc.exe and add the Certificate snap-in.
- When prompted, choose “Service account”. Click next.
- Choose “Local computer”. Click next.
- Choose “Active Directory Domain Services”. Click Finish.
- Import the certificate into NTDS\Personal\Certificates.
- Restart Active Directory Domain Services service. This generally needs a server restart.
