How to create a certificate for Windows Domain Controllers.
AD servers needing a certificate for LDAPS need some extra permitted uses. Also, they must have SAN entries to be accepted by various third-party products, such as anything Java based. Therefore the key requirements are:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Surrey
localityName = Camberley
organizationName = CylCorp
commonName = dc1.cylindric.net
[ req_ext ]
subjectAltName = @alt_names
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints = critical, CA:FALSE
[ alt_names ]
DNS.1 = dc1.cylindric.net
DNS.2 = cylindric.net
DNS.3 = ldap.cylindric.net
IP.1 = 192.168.0.10
Create a CSR and key from it
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config cert.cnf