LDAPS on Windows Server 2025 onwards Domain Controllers using a selfhosted Certificate Authority
Hi everyone!
This article is a dedicated follow-up on a topic about self-signed selfhosted certificate authority from last year (you can find it here).
In this article we will be looking at how to integrate our selfhosted certificate authority with a Windows-based Domain Controller, specifically from Windows Server 2025 onwards in which it's unsecure LDAP (port 389) is disabled by default and its usage highly discouraged due to security reasons.
Prerequisites
For this to work, we need:
- A domain controller, up and running, with its properly configured FQDN name (in this example will be
adds.goldmark.local) - SmallStep's step.exe executable for Windows, which can be downloaded here following one of the methods provided
- OpenSSL executable for Windows, which can be downloaded here (I used the EXE version of Win64 OpenSSL v3.5.1 Light for this demonstration)
Phase 1: Installing required dependencies
First, let's create a special folder at C:\SmallStep in which we will do our things here. All the terminal commands should be made from this directory.
Then, download and extract SmallStep's step.exe from the link above and copy only the step.exe file inside the bin folder to C:\SmallStep to use later.
Next, download and install the OpenSSL lite version from the link above, and add the folder in which openssl.exe to the system PATH to make it reachable and usable everywhere we are while using the terminal.
Phase 2: Connecting the server to the main SmallStep CA
For connecting to the main SmallStep CA server and install the root CA certificate, open the PowerShell terminal as administrator and run the following commands:
.\step.exe ca bootstrap --ca-url [CA URL] --fingerprint [CA fingerprint] # Fill out the URL of your CA as per previously requested data on the previous post
.\step.exe certificate install $(.\step.exe path)/certs/root_ca.crt # This installs the root certificate on the local server, making sure all connections regarding this certificate and the intermediate and final certificates are properly made, verified and secured
Now that we have correctly installed the root certificate for using and requesting our new certificates, we will proceed with certificate generation!
Phase 3: Requesting certificates and converting them to proper format
Due to LDAPS requiring a specific file format for making sure SSL is working as intended, we will issue a new certificate with the following command, for example, in my case:
.\step.exe ca certificate adds.goldmark.local adds.goldmark.local.crt adds.goldmark.local.key
Note: The certificate duration and expiring will be the default ones of your configuration, if you need to extend the max expiration threshold you can by editing the ca.json file on the SmallStep server in which your CA resides at this key: maxTLSCertDuration.
Next, you can ask for a certificate with the threshold set at the server by adding this at the end of the previous command: --not-after=43800h (e.g. 5 years)
Important: you still need to build an automation for updating this certificate, if the validity period of the certificate is very short e.g. 1 month
After certificate and private key generation, we need to convert the certificate to a specific format by issuing the following command:
openssl.exe pkcs12 -export -out adds.goldmark.local.pfx -inkey adds.goldmark.local.key -in adds.goldmark.local.crt -name "adds.goldmark.local LDAPS certificate"
This command will generate a specific file, called adds.goldmark.local.pfx, compatible with our use-case!
Phase 4: Importing it to the LDAPS server
Open Manage Computer Certificates configuration panel on the Windows Server 2025 computer with administrator privileges, and import the previously generated adds.goldmark.local.pfx file on both Personal and Trusted Root Certification Authorities via Right Click -> All Tasks -> Import...
After you imported the same certificate on both sections, reboot the server and the LDAPS configuration will be ready to serve new connections on port 636!
Optional - Phase 5: Testing
If you can, open a linux box with the root certificate installed and issue the following command to make sure the certificate is used by LDAPS correctly:
openssl s_client -connect adds.goldmark.local:636 -showcerts
It will show the certificate used for this LDAPS connection, where you can find all sorts of information including the expiration date of the used certificate.
Conclusions
Nice, now you have a fully protected LDAPS deployment for your business use!
I hope it helped someone as it always has helped me in my work and homelab projects!
If you fancy see what I'm working on, have a look at my GitHub or write me an email!