One of our clients wants me to change NetScaler LDAP
configuration from PLAINTEXT to SSL
Background:
We don’t have internal Certificate Authority.
By default, LDAP traffic is transmitted unsecured. You can
make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) /
Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS)
by installing a properly formatted certificate from either a
Microsoft
certification authority (CA) or a non-Microsoft CA according to the guidelines
in this article.
Installing a valid certificate on a domain controller
permits the LDAP service to listen for, and automatically accept, SSL
connections for LDAP
Creating the certificate request
Any utility or application that creates a valid PKCS #10
request can be used to form the SSL certificate request. Use Certreq to form
the request.
Certreq.exe requires a text
instruction file to generate an appropriate X.509 certificate request for a
domain controller. You can create this file by using your preferred ASCII text
editor. Save the file as an .inf file to any folder on your hard drive.
To request a Server Authentication certificate that is suitable for LDAPS,
follow these steps:
Create the .inf file. Following is an example .inf file
that can be used to create the certificate request.
;-----------------
request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------
Cut and
paste the sample file into a new text file named Request.inf. Provide the fully
qualified DNS name of the domain controller in the request.
My Domain controller Hostname is : ad.ctxdc.test.local
I created a Request.inf and saved on C:\ of my Domain
Controller
Create the request file. To do this,
type the following command at the command prompt, and then press ENTER:
certreq -new request.inf request.req
A new file
called Request.req is created. This is the base64-encoded request file.
Submit the request to a CA. You can submit the request to a
Microsoft CA or to a third-party CA.
My friend has one Microsoft CA installed .
I send my file to him and ask him to create a certificate
for me or we can ask third party to create a certificate for me.
Steps to request and download certificate.
Open Webpage on CA server to request certificate.
Click on Request a certificate.
Click Advanced certificate request.
Click on
Paste
the saved request and select "webserver" as certificate Template
Click
Submit
Select
Base 64 encoded and click on Download Certificate.
Retrieve the certificate that is issued, and then save the certificate as
Certnew.cer in the same folder as the request file.
Accept the issued certificate. To do
this, type the following command at the command prompt, and then press ENTER:
certreq -accept certnew.cer
Verify that the certificate is
installed in the computer's Personal store. To do this, follow these steps:
- Start Microsoft Management Console (MMC).
- Add the Certificates snap-in that manages certificates
on the local computer.
- Expand Certificates (Local Computer), expand Personal,
and then expand Certificates.
A new certificate should exist in
the Personal store. In the Certificate Properties dialog box, the
intended purpose displayed is Server Authentication. This certificate is
issued to the computer's fully qualified host name.
Download ldp.exe and verify LDAP
accepting SSL connections
Once it accepting connection over
SSL, will change Netscaler configuration from PLAINTEXT to SSL and click OK.