Domain Controller Certificate

How to create a certificate for Windows Domain Controllers.

AD servers needing a certificate for LDAPS need some extra permitted uses. Also, they must have SAN entries to be accepted by various third-party products, such as anything Java based. Therefore the key requirements are:

  • CN to match the server FQDN
  • SAN entries for
    • FQDN - for direct connections
    • Domain name - for DC discovery using the DNS domain
    • Generic FQDN - optional, but common where using something not tied to the host is required; load balancing, etc.
    • IP address - optional, but useful for connecting via LDAP when you don't have DNS resolution to the DC
  • Usages:
    • client authentication
    • server authentication
    • key encipherment
    • digital signature
    • non-repudiation
    • email protection
    • Smart Card login

Create a Request Config

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
countryName         = GB
stateOrProvinceName = Surrey
localityName        = Camberley
organizationName    = CylCorp
commonName          =

[ req_ext ]
subjectAltName         = @alt_names
keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage       = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints       = critical, CA:FALSE

[ alt_names ]
DNS.1 =
DNS.2 =
DNS.3 =
IP.1  =

Create a CSR

Create a CSR and key from it

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config cert.cnf