Configuring a cert for custom LDAPS

  • Last Post 11 February 2020
Biju_Babu posted this 10 February 2020

Hello,   Wondering if there is a way to config a DC to use a specific cert from its computer store for LDAPS. As per below technet blog,  DC will pick the newest one from the store for LDAPS and it is true with my experience (not so pleasant) and testing.   Rgds

Order By: Standard | Newest | Votes
Anthony.Vandenbossche posted this 11 February 2020

If you have around 100 Domain Controllers, the ADDS’ store is a pain in the ass

😊.  Make sure your Domain Controllers

only have 1 valid Computer Auth certificate in their stores. In case of the 100 Domain Controllers; you can auto generate an inf file for every Domain Controller. A template INF file is below. Replace the FQDN and NETBIOS references to your environment. The

script (below the template) will replace the “REPLACEME” placeholders with your Domain Controller names, resulting in 100 INF files ready to submit to your CA.



Signature = "$Windows NT$"



Exportable =


KeyLength = 2048

KeySpec = 1 ; required for encryption

KeyUsage = 0xA0 ; digital signature, key encipherment

MachineKeySet = TRUE ; key belongs to the local computer account

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = CMC


CertificateTemplate = "LDAPSTemplate"

[Extensions] = "{text}"

continue = "dns=REPLACEME.FQDN&"

continue = "dns=ldap.FQDN&"

continue = "dns=ldap1.FQDN&"

continue = "dns=ldap2.FQDN&"

continue = "dns=NETBIOS&"


OID= ; server authentication


$DropDir = "C:\temp\ldaps\GeneratedINFFiles"

$INFFile = Get-Content C:\temp\ldaps\Template.inf

$DCs = Get-ADDomainController -Filter  | select name

Foreach($DC in $DCs)


    write-host "Processing $($"

    $FileName = $DropDir+"\"+$".inf"

    $NewContent = $INFFile -replace "REPLACEME",$ | Out-File $FileName




In my case, I then placed all the INF files on a location accessible to all Domain Controllers, the NETLOGON share. Also, I put a version

of PSEXEC ( in the Netlogon to perform below commands under the local machine context (Certificate Template permissions are given to Domain Controllers):


Invoke-Command FQDNSERVER {\FQDN\NETLOGON\LDAPS\PsExec64.exe -s -i certreq -new \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.inf \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.req}

Invoke-Command FQDNSERVER 


Invoke-Command FQDNSERVER 

{\FQDN\NETLOGON\LDAPS\PsExec64.exe -s -i certreq –accept \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.cer}



If you are really really lazy, as you should, write a wrapper around the above code to automate this process as well. That may look

something like this:


$DCs = Get-ADDomainController -Filter 
 | select name,hostname

Foreach($DC in $DCs)


     Invoke-Command $DC.hostname {certreq}

     Invoke-Command $DC.hostname {submitreq}

     Invoke-Command $DC.hostname {acceptcert}



Hope this helps.



Anthony Van den bossche



Biju_Babu posted this 11 February 2020

Thanks Ross, I will look into it.


@ Al Mulnick – Sorry, I do not follow. We are using an LB and it gives it’s “pool” name back to the client while establishing LDAPS (noticed from netmon traffic), Is there a different way to do this?





chriss3 posted this 10 February 2020

Nope sorry, You’re right, the service store is for LDAPs, KDC choose the cert differently.



chriss3 posted this 10 February 2020

Hmm. Isn’t that for KDC cert? <> LDAPs cert?




amulnick posted this 10 February 2020

Would you not want to load balance it? It's even easier to put a lb in front and use a single cert for the lb to DC comm. 
Simpler is always better from what I've seen and load balancing can give you better availability of done right. 


rwilper posted this 10 February 2020

The “easiest” way that I have found to force the right certificate for LDAPS is to place it in the ADDS service’s Personal store instead of the computer’s Personal store. ADDS will look for a valid and applicable

certificate there first.