Welcome 2020 (Or not)!!!
Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.
Been a while I haven’t written something.
Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy
- Create a csr request in AD
- Generate a crt
- Import the cert in AD
- Test Connection via ldp or IDN.
I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one.
But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.
Followed the guide till where v3ext.txt is being generated. But used my own as below
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] CN = dc1.abc.local [v3_req] keyUsage = keyEncipherment, dataEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier=hash subjectAltName = @alt_names [alt_names] DNS.1 = abc.local DNS.2 = dc1.abc.local IP = 192.168.83.210 |
The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements
And modified the command to execute this file
1 |
openssl x509 -req -days 3650 -in dc1.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -extensions v3_req -set_serial 01 -out dc1.crt |
Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛
Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!!
Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.
References