The procedures shown should work with Windows 2012 and Windows 2016.

The reason for writing this is because I use a trial version Windows 2012 server to test Active Directory integration with Ansible Tower , Netbox, and Cumulus Linux Authentication. In some cases I need to setup a secure LDAPS connection.

An Active Directory server requires a valid SSL certificate and the root certificate authority certificate placed on the server before Microsoft Windows automatically enables LDAPS (port 636).

If you have limited compute and time resources on your Linux servers, like me, it is not possible to setup a Microsoft CA server and Microsoft Active directory Virtual Machines. So instead an external certificate authority (CA) is used. In this example the ancient CA.pl perl script is used. Still works after all these years! It is lightweight and requires only 1 Windows Server VM to be configured, i.e the Active Directory server.

A Microsoft CA cannot coexist with Microsoft AD on the same Windows Server

Workflow

Created with Raphaƫl 2.1.2StartCreate the External CA Set the Windows Server HostnameSetup Active Directory on the Windows ServerCreate the Certificate Signing Request(CSR)Sign the CSR on the External CA creating a certificateInstall the server certificate into the Windows ServerReboot the Windows Server

Create the External Certificate Authority (CA)

Install the openssl package containing the CA.pl script onto the Linux hypervisor.

yum install openssl-perl (Centos/RHEL)

dnf install openssl-perl (Fedora 25+)

apt-get install openssl (Debian/Ubuntu)

Create the Certificate Authority. Review the CA.pl to see where the certificates are installed. The variable is called $CATOP.

% sudo /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
......+++
........+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: [enter password]
Verifying - Enter PEM pass phrase: [enter matching password]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:North Carolina
Locality Name (eg, city) []:Durham
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxSimba
Organizational Unit Name (eg, section) []:Dept of Work
Common Name (e.g. server FQDN or YOUR name) []:Server Admin
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [blank hit return]
An optional company name []: [blank hit return]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12757355171169984766 (0xb10b3aefd31460fe)
        Validity
            Not Before: May 13 01:03:32 2017 GMT
            Not After : May 12 01:03:32 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = North Carolina
            organizationName          = LinuxSimba
            organizationalUnitName    = Dept of Work
            commonName                = Server Admin
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54
            X509v3 Authority Key Identifier:
                keyid:E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until May 12 01:03:32 2020 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Set the Windows Server Name

This step assumes that Active directory is not configured yet. If it is, delete the server VM and start from scratch. Changing the hostname after installing Active Directory is not an easy thing.

Use Powershell to set the Windows Server name.

$ Rename-Computer -NewName linuxsimbaAD"
$ Restart-Computer -Force

Install Windows Active Directory

Install the Active Directory and DNS Windows Features. PowerShell commands shown below:

$ install-windowsfeature -name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools -ComputerName "linuxsimbaAD"

$ install-windowsfeature -name "dns" -IncludeAllSubFeature -IncludeManagementTools -ComputerName "linuxsimbaAD"

Then install Active Directory Services. After that the server reboots.

$  Import-Module ADDSDeployment
$  Install-ADDSForest `
        -CreateDnsDelegation:$false `
        -DatabasePath "C:\Windows\NTDS" `
        -DomainMode "Win2012R2" `
        -DomainName "linuxsimba.local" `
        -DomainNetbiosName "LINUXSIMBA" `
        -ForestMode "WIN2012R2" `
        -InstallDns:$true `
        -safemodeadministratorpassword (convertto-securestring 1q2w3e4r5t! -asplaintext -force) `
        -LogPath "C:\Windows\NTDS" `
        -NoRebootOnCompletion:$false `
        -SysvolPath "C:\Windows\SYSVOL" `
        -Force:$true

Create the Windows Server CSR

From the Microsoft Technet article about using external CAs, create a request.inf file. In this example, the CSR looks like this:

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=linuxsimbaAD.linuxsimba.local" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------

Then create a Certificate Signing Request(CSR) from the request.inf file.

$ certreq -new request.inf newreq.pem

Copy the newreq.pem file back to the Linux hypervisor where the Certificate authority resides.

Sign the Windows Server CSR

Use the new CA on the Linux hypervisor to sign the certificate. The name of the CSR should be newreq.pem.

$ sudo /usr/lib/ssl/misc/CA.pl -signreq

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12757355171169984767 (0xb10b3aefd31460ff)
        Validity
            Not Before: May 13 02:54:29 2017 GMT
            Not After : May 13 02:54:29 2018 GMT
        Subject:
            commonName                = linuxsimbaAD.linuxsimba.local
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                0F:6E:E7:20:5A:53:4D:93:82:6A:A8:9F:41:39:1A:92:A5:60:23:9F
            X509v3 Authority Key Identifier:
                keyid:E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54

Certificate is to be certified until May 13 02:54:29 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

$ cp newcert.pem ldapcert.pem
$ cp demoCA/cacert.pem cacert.pem

Copy the Server Certificate and Root Certificate back into the Windows Servers

Copy ldapcert.pem (LDAP Server SSL Certificate) and cacert.pem (CA SSL Certificate) to the Windows Server Virtual Machine. Then use the following Powershell command to install the Root certificate


Import-Certificate -FilePath C:\users\vagrant\cacert.pem -CertStoreLocation Cert:\LocalMachine\Root

Next install the server certificate into the servers personal SSL store

Import-Certificate -FilePath C:\users\vagrant\ldapcert.pem -CertStoreLocation Cert:\LocalMachine\My

Make sure to check the time on the server. Wrong time could result in the certificate becoming invalid and LDAPS will not work.

Finally Restart the Server

Verify LDAPS connection

After the Windows Server restart LDAPs should be working. Here are some steps to verify if its working.

  • Start ldp.exe on the Windows server

enter image description here

  • Output from a working server enter image description here

  • View of the valid Server Certificate enter image description here

Reference

Written with StackEdit.