Step by step guide to setup LDAPS on Windows Server using Certificate Authority
- First, we need to set up LDAP over SSL (LDAPS) to establish a secure connection between our client and the LDAP server.
- To do this, we install the "Active Directory Certificate Services" role on our Windows Server Machine. You can do this by following these steps:
- Click on the Start menu.
- Open Server Manager.
- Click on "Add Roles and Features".
- From there, follow the instructions to install the role. This will allow us to create and export the necessary certificate for our LDAPS connection.
- After selecting Add Roles and Features and Click on Next.
- Choose Role-based or feature-based installation option and Click on Next button.
![](/sites/default/files/inline-images/image_99.png)
- Choose Select a server from the server pool option & Select ldap server from the server pool and click on Next button.
![](/sites/default/files/inline-images/image_100.png)
- Choose Active Directory Certificate Services option from the list of roles and click on Next button.
![](/sites/default/files/inline-images/image_101.png)
- Choose nothing from the list of features and click on Next button.
Click on Add Features
![](/sites/default/files/inline-images/image_102.png)
![A screenshot of a computer
Description automatically generated](/sites/default/files/inline-images/image_89.png)
![](/sites/default/files/inline-images/image_103.png)
![A screenshot of a computer
Description automatically generated](/sites/default/files/inline-images/image_90.png)
Make sure Active Directory Certificate Services and Certificate Authority Web Enrollment both are selected
![](/sites/default/files/inline-images/image_104.png)
On the Confirmation page, select Restart the destination server automatically if required and press Install.
![](/sites/default/files/inline-images/image_105.png)
After installation, go to the notification tab and click Configure Active Directory Certificate Services.
![](/sites/default/files/inline-images/image_106.png)
On the Credentials page, input the Credentials and click Next.
![](/sites/default/files/inline-images/image_107.png)
On the Role Services page, select Certification Authority Web Enrollment and Click Next.
![](/sites/default/files/inline-images/image_108.png)
Specify the setup type of the CA
![A screenshot of a computer
Description automatically generated](/sites/default/files/inline-images/image_92.png)
![](/sites/default/files/inline-images/image_109.png)
If you already have the old private key please use the 2nd option.
![](/sites/default/files/inline-images/image_110.png)
![A screenshot of a computer
Description automatically generated](/sites/default/files/inline-images/image_91.png)
On the Confirmation page, click Configure to finish configuration.
![](/sites/default/files/inline-images/image_113.png)
![](/sites/default/files/inline-images/image_114.png)
1.2: Create certificate template
- Go to Windows Key+R and run certtmpl.msc command and choose the Kerberos Authentication Template.
![LDAPS on Windows Server certificate authority](/sites/default/files/inline-images/image_115.png)
Right-click on Kerberos Authentication and then select Duplicate Template.
![LDAPS on Windows Server duplicate kerberos authenticator template](/sites/default/files/inline-images/image_116.png)
- The Properties of New Template will appear. Configure the setting according to your requirements.
- Go to the General tab and Enable publish certificate in Active Directory option.
![](/sites/default/files/inline-images/image_117.png)
- Go to the Request Handling Tab and Enable ‘Allow private key to be exported’ option.
![LDAPS on Windows Server ldap certificate install](/sites/default/files/inline-images/image_118.png)
- Go to the Subject Name tab and Enable subject name format as DNS Name and click on Apply & OK button.
![LDAPS on Windows Server subject name settings](/sites/default/files/inline-images/image_119.png)
1.3: Issue certificate template
- Go to Start -> Certification Authority Right click on "Certificate Templates" and select New-> Certificate Template to Issue.
![LDAPS on Windows Server certificate authority](/sites/default/files/inline-images/image_120.png)
- Now, select your recently created Certificate Template and click on ok button.
![](/sites/default/files/inline-images/image_121.png)
1.4: Request new certificate for created certificate template
- Go to Windows Key+R -> mmc -> File -> Add/Remove snap-in. Select Certificates, and click on Add button and then click on Ok button .
![LDAPS on Windows Server certificate authority](/sites/default/files/inline-images/image_122.png)
- Select Computer account option and click on Next button.
![LDAPS on Windows Server select computer account](/sites/default/files/inline-images/image_123.png)
- Select Local computer option and click on Finish button.
![LDAPS on Windows Server select local computer](/sites/default/files/inline-images/image_124.png)
- Now, right Click on Certificates select All Tasks and click on Request for new Certificate.
![](/sites/default/files/inline-images/image_125.png)
- Click on Next button.
- Click on Next button.
- Select your certificate and click on Enroll button.
- Click on Finish button.
1.5: Export the created certificate
- Right click on recently generated certificate and select All tasks -> Export.
- Click on Next button.
![LDAPS on Windows Server duplicate kerberos authenticator](/sites/default/files/inline-images/image_126.png)
- Select Do not export the private key option and click on Next button.
- Choose Base-64 encoded X .509 file format and click on Next.
![LDAPS on Windows Server base-64 encoded](/sites/default/files/inline-images/image_94.png)
- Export the .CER to your local system path and click on Next.
- Click on Finish button to complete the certificate export.
![LDAPS on Windows Server export certificate successfully](/sites/default/files/inline-images/image_127.png)
2. Configure LDAPS on the Connector
- First, we need to change the certificate format from .cer to .pem.
- Then, upload the certificate to the Anyware Manager.
- Finally, copy the configuration command and run it on the connector.