The procedures shown should work with Windows 2012 and Windows 2016.
The reason for writing this is because I use a trial version Windows 2012 server to test Active Directory integration with Ansible Tower , Netbox, and Cumulus Linux Authentication. In some cases I need to setup a secure LDAPS connection.
An Active Directory server requires a valid SSL certificate and the root certificate authority certificate placed on the server before Microsoft Windows automatically enables LDAPS (port 636).
If you have limited compute and time resources on your Linux servers, like me, it is not possible to setup a Microsoft CA server and Microsoft Active directory Virtual Machines. So instead an external certificate authority (CA) is used. In this example the ancient
CA.pl perl script is used. Still works after all these years! It is lightweight and requires only 1 Windows Server VM to be configured, i.e the Active Directory server.
A Microsoft CA cannot coexist with Microsoft AD on the same Windows Server
Create the External Certificate Authority (CA)
Install the openssl package containing the
CA.pl script onto the Linux hypervisor.
yum install openssl-perl (Centos/RHEL) dnf install openssl-perl (Fedora 25+) apt-get install openssl (Debian/Ubuntu)
Create the Certificate Authority. Review the
CA.pl to see where the certificates are installed. The variable is called
% sudo /usr/lib/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ......+++ ........+++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: [enter password] Verifying - Enter PEM pass phrase: [enter matching password] ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:North Carolina Locality Name (eg, city) :Durham Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxSimba Organizational Unit Name (eg, section) :Dept of Work Common Name (e.g. server FQDN or YOUR name) :Server Admin Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : [blank hit return] An optional company name : [blank hit return] Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 12757355171169984766 (0xb10b3aefd31460fe) Validity Not Before: May 13 01:03:32 2017 GMT Not After : May 12 01:03:32 2020 GMT Subject: countryName = US stateOrProvinceName = North Carolina organizationName = LinuxSimba organizationalUnitName = Dept of Work commonName = Server Admin X509v3 extensions: X509v3 Subject Key Identifier: E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54 X509v3 Authority Key Identifier: keyid:E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until May 12 01:03:32 2020 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Set the Windows Server Name
This step assumes that Active directory is not configured yet. If it is, delete the server VM and start from scratch. Changing the hostname after installing Active Directory is not an easy thing.
Use Powershell to set the Windows Server name.
$ Rename-Computer -NewName linuxsimbaAD" $ Restart-Computer -Force
Install Windows Active Directory
Install the Active Directory and DNS Windows Features. PowerShell commands shown below:
$ install-windowsfeature -name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools -ComputerName "linuxsimbaAD" $ install-windowsfeature -name "dns" -IncludeAllSubFeature -IncludeManagementTools -ComputerName "linuxsimbaAD"
Then install Active Directory Services. After that the server reboots.
$ Import-Module ADDSDeployment $ Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "linuxsimba.local" ` -DomainNetbiosName "LINUXSIMBA" ` -ForestMode "WIN2012R2" ` -InstallDns:$true ` -safemodeadministratorpassword (convertto-securestring 1q2w3e4r5t! -asplaintext -force) ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
Create the Windows Server CSR
From the Microsoft Technet article about using external CAs, create a
request.inf file. In this example, the CSR looks like this:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=linuxsimbaAD.linuxsimba.local" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=18.104.22.168.22.214.171.124.1 ; this is for Server Authentication ;-----------------------------------------------
Then create a Certificate Signing Request(CSR) from the
$ certreq -new request.inf newreq.pem
Copy the newreq.pem file back to the Linux hypervisor where the Certificate authority resides.
Sign the Windows Server CSR
Use the new CA on the Linux hypervisor to sign the certificate. The name of the CSR should be
$ sudo /usr/lib/ssl/misc/CA.pl -signreq Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 12757355171169984767 (0xb10b3aefd31460ff) Validity Not Before: May 13 02:54:29 2017 GMT Not After : May 13 02:54:29 2018 GMT Subject: commonName = linuxsimbaAD.linuxsimba.local X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0F:6E:E7:20:5A:53:4D:93:82:6A:A8:9F:41:39:1A:92:A5:60:23:9F X509v3 Authority Key Identifier: keyid:E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54 Certificate is to be certified until May 13 02:54:29 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem $ cp newcert.pem ldapcert.pem $ cp demoCA/cacert.pem cacert.pem
Copy the Server Certificate and Root Certificate back into the Windows Servers
ldapcert.pem (LDAP Server SSL Certificate) and
cacert.pem (CA SSL Certificate) to the Windows Server Virtual Machine. Then use the following Powershell command to install the Root certificate
Import-Certificate -FilePath C:\users\vagrant\cacert.pem -CertStoreLocation Cert:\LocalMachine\Root
Next install the server certificate into the servers personal SSL store
Import-Certificate -FilePath C:\users\vagrant\ldapcert.pem -CertStoreLocation Cert:\LocalMachine\My
Make sure to check the time on the server. Wrong time could result in the certificate becoming invalid and LDAPS will not work.
Finally Restart the Server
Verify LDAPS connection
After the Windows Server restart LDAPs should be working. Here are some steps to verify if its working.
ldp.exeon the Windows server
Output from a working server
View of the valid Server Certificate
Written with StackEdit.