Yes, it’s possible! Tested on Windows Server 2016.

LDAPS Certificates are always be a little mistery for me. When you search on google you always find big guides that spoke about install the CA authority and deploy certificates.
I have finaly understand that this is not necessary, and as I suspected LDAPS works like any other services exposed trought SSL certificates, like https.

The first mistery was where certificate of LDAPS services was stored, there:

mmc.exe -> File add snap-in -> Certificates -> Service account -> Local computer -> Active Directory Domain Services

Active Directory Domain Services also called NTDS

You can now load Certificate on NTDS\Personal\Ceterificates and Active Directory LDAPS use it automatically after reboot or with a special command.

That is, easy, finaly.

And for Let’s Encrypt? Now…:

As the place where LDAPS cert store it’s not so “easy” to find, also doesn’t exit the powershell command to import certificate to the NTDS/Personal Store, so you need to import to Local Computer and after move it from registry (yes, absurd but working…).

powershell ldaps-cert.ps1 that download Let’s Encrypt exported certificate and call import-ntds.ps1 for load on Local Computer certificate store and after move it to NTDS Store:

powershell import-ntds2.ps1 called by ldaps-cert.ps1:

I have tested that LDAPS Service use always the last added certificate (or the “longer” expire), so it’s not a problem if there are old certificates on the NTDS store. 
Add a schedule task that every week launch ldaps-cert.ps1 and the LDAPS cert will be always up to date.

The last part: generating the pfx from a machine with a let’s encrypt working configuration (maybe a linux with apache and https correctly configured), ldaps-cert.ps1 will download from it:

Add a cronjob that every week will generate the pfx updated certificate.

Test ssl connection with openssl comands:

Reload LDAPS cert without reboot: ldaps-reload.txt, called from ldaps-cert.ps1 with: “ldifde -i -f ldaps-reload.txt”







Active Directory LDAPS and Let’s Encrypt it’s possible!

Lascia un commento

Il tuo indirizzo email non sarà pubblicato.

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.