Ldap – One SSL Certificate for 3 Domain Controllers


How does one generate a self-signed (later a CSR for a real cert) SSL certificate for three domain controllers (dc1.example.com dc2.example.com dc3.example.com) for the Windows domain EXAMPLE.COM for use with LDAP

The subject, I believe, should be EXAMPLE.COM with three Subject Alternative Names being the dns names for each DC.

How do I generate this certificate preferably with openssl, and definitely without installing certificate services?


An additional requirement is accomplishing this using only existing tools built in to RHEL 6, Windows 2008 R2, or software which can be acquired from Microsoft directly.

Best Answer

No need to use any GUI wrappers to the OpenSSL really, they never include all the options and add no value to the library. Nothing wrong with firing up the OpenSSL console, hitting ? to list all the commands and finding clarification on-line for those that you might need, IMHO. ;)

First thing to do is to make sure you have a valid openssl.cnf file in your openssl installation folder. If you're missing this file, then you can download it from here. Place this file in your openssl path and set the required environment variable to point to it:

set OPENSSL_CONF=[path & file name of your openssl.cnf file]

You will also need an additional config file with your domain controllers listed. Simplest is to just echo your list in a new file:

echo subjectAltName=DNS:dc1.example.com,DNS:dc2.example.com,DNS:dc3.example.com > example.com.cnf

Or you could create a new config file with a notepad, whatever. It will only require this single line in it:


Then start the openssl console (openssl.exe) and create your self-signed certificate using these two configuration files (the openssl.cnf will load with the req command automatically from the environment variable OPENSSL_CONF we set previously):

genrsa -out example.com.key 1024
req -new -key example.com.key -out example.com.csr

Enter all the required data as it asks you to. You might want to skip entering the password phrase (A challenge password []) if this certificate will be used on a web server, not to require entering it each time you restart it. In which case just leave that field blank.

We're nearly done. Now we only need to generate our certificate and pass it the other configuration file to include our DNS aliases (or in your case all three domain controllers):

x509 -req -days 365 -in example.com.csr -signkey example.com.key -text -extfile example.com.cnf -out example.com.crt

That's it. You should have your new example.com.crt, example.com.key and example.com.csr files ready to go in your openssl folder, and updated with the additional configuration that we set. You can check your certificate that it includes our DNS names (notepad will do, these values are in clear text).

Obviously, you could change these values to reflect your needs and this is only an example, using your own example values. If you don't want to fire up the OpenSSL console, then you can run all these commands from the system console just as well, preceding any command with a call to OpenSSL.exe with openssl. That's exactly equal to having OpenSSL console open.

Hope that's what you wanted to do, don't hesitate to ask for clarification in the comments,
