How to create a certificate for Windows Domain Controllers.
AD servers needing a certificate for LDAPS need some extra permitted uses. Also, they must have SAN entries to be accepted by various third-party products, such as anything Java based. Therefore the key requirements are:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = GB stateOrProvinceName = Surrey localityName = Camberley organizationName = CylCorp commonName = dc1.cylindric.net [ req_ext ] subjectAltName = @alt_names keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin basicConstraints = critical, CA:FALSE [ alt_names ] DNS.1 = dc1.cylindric.net DNS.2 = cylindric.net DNS.3 = ldap.cylindric.net IP.1 = 192.168.0.10
Create a CSR and key from it
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config cert.cnf