Hello there!

Need Help? We are right here!

support
miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Step by Step guide to setup LDAPS on Windows Server
Connect with LDAPS using miniOrange guidelines to setup LDAP over SSL and establish a secure connection with LDAP Server.

Secure your LDAP server connection between client and server application to encrypt the communication. In case of simple bind connection using SSL/TLS is recommended to secure the authentication as simple bind exposes the user crendetials in clear text.

Step 1: Install Certificate Authority, Create and Export the certificate

1.1: Install "Active Directory Certificate Services" role through Server Manager roles.

  • On your Windows Server Machine, click on Start -> Server Manager -> Add Roles and Features.
  • LDAPS on Windows Server server manager

  • After selecting Add Roles and Features and Click on Next.
  • LDAPS on Windows Server setup add roles and features

  • Choose Role-based or feature-based installation option and Click on Next button.
  • LDAPS on Windows Server role or feature based installation

  • Choose Select a server from the server pool option & Select ldap server from the server pool and click on Next button.
  • LDAPS on Windows Server select ldap server

  • Choose Active Directory Certificate Services option from the list of roles and click on Next button.
  • LDAPS on Windows Server select roles

  • Choose nothing from the list of features and click on Next button.
  • LDAPS on Windows Server select feature

  • In Active Directory Certificate Services (AD CS) choose nothing and Click on Next button.
  • LDAPS on Windows Server active directory certificate services

  • Mark Certification Authority from the list of roles and Click on Next button.
  • LDAPS on Windows Server setup role services

  • Click on Install button to confirm installation.
  • LDAPS on Windows Server confirm server installation

  • Now, click on Configure Active Directory Certificate Services on Destination Server option and click on Close button.
  • LDAPS on Windows Server configure active directory

  • We can use the currently logged on user to configure role services since it belongs to the local Administrators group. Click on Next button.
  • LDAPS on Windows Server AD CS Configuration wizard

  • Mark Certification Authority from the list of roles and Click on Next button.
  • LDAPS on Windows Server certification authority

  • Choose Enterprise CA option and Click on Next.
  • LDAPS on Windows Server select enterprise ca

  • Choose Root CA option and Click on Next button.
  • LDAPS on Windows Server select root ca

  • Choose Create a new private key option and Click on Next button.
  • LDAPS on Windows Server create private key

  • Choose SHA256 as the hash algorithm and Click on Next.
    UPDATE : Recommended to select the most recent hashing algorithm.
  • LDAPS on Windows Server cryptograpghy algorithm

  • Click on Next button.
  • LDAPS on Windows Server CA name

  • Specify the validity of the certificate choosing Default 5 years and Click on Next button.
  • LDAPS on Windows Server enter certificate validity

  • Select the default database location and Click on Next.
  • LDAPS on Windows Server database location

  • Click on Configure button to confirm.
  • LDAPS on Windows Server configure to confirm

  • Once the configuration succeeded and click on Close button.
  • LDAPS on Windows Server configuration succeeded

1.2: Create certificate template

  • Go to Windows Key+R and run certtmpl.msc command and choose the Kerberos Authentication Template.
  • LDAPS on Windows Server certificate authority

  • Right-click on Kerberos Authentication and then select Duplicate Template.
  • LDAPS on Windows Server duplicate kerberos authenticator template

  • The Properties of New Template will appear. Configure the setting according to your requirements.
  • Go to the General tab and Enable publish certificate in Active Directory option.
  • LDAPS on Windows Server general settings

  • Go to the Request Handling Tab and Enable ‘Allow private key to be exported’ option.
  • LDAPS on Windows Server ldap certificate install

  • Go to the Subject Name tab and Enable subject name format as DNS Name and click on Apply & OK button.
  • LDAPS on Windows Server subject name settings

1.3: Issue certificate template

  • Go to Start -> Certification Authority Right click on "Certificate Templates" and select New-> Certificate Template to Issue.
  • LDAPS on Windows Server certificate authority

  • Now, select your recently created Certificate Template and click on ok button.
  • LDAPS on Windows Server duplicate kerberos authenticator template

1.4: Request new certificate for created certificate template

  • Go to Windows Key+R -> mmc -> File -> Add/Remove snap-in. Select Certificates, and click on Add button and then click on Ok button .
  • LDAPS on Windows Server certificate authority

  • Select Computer account option and click on Next button.
  • LDAPS on Windows Server select computer account

  • Select Local computer option and click on Finish button.
  • LDAPS on Windows Server select local computer

  • Now, right Click on Certificates select All Tasks and click on Request for new Certificate.
  • LDAPS on Windows Server select all tasks

  • Click on Next button.
  • LDAPS on Windows Server continue with task

  • Click on Next button.
  • LDAPS on Windows Server environment policy

  • Select your certificate and click on Enroll button.
  • LDAPS on Windows Server enroll certificate

  • Click on Finish button.
  • LDAPS on Windows Server enroll certificate successfully

1.5: Export the created certificate

  • Right click on recently generated certificate and select All tasks -> Export.
  • LDAPS on Windows Server export generated certificate

  • Click on Next button.
  • LDAPS on Windows Server duplicate kerberos authenticator

  • Select Do not export the private key option and click on Next button.
  • LDAPS on Windows Server dont export private key

  • Choose Base-64 encoded X .509 file format and click on Next.
  • LDAPS on Windows Server base-64 encoded

  • Export the .CER to your local system path and click on Next.
  • LDAPS on Windows Server export .cer

  • Click on Finish button to complete the certificate export.
  • LDAPS on Windows Server export certificate successfully

Step 2: Confiure LDAPS on the client side server

2.1: Convert Certificate Format and Install the Certificate using OpenSSL

  • To convert the certificate from .cer to .pem format you can use OpenSSL.
  • For Windows:
    You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.
    • Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:

      For example:
      C:\openssl\openssl x509 -in mOrangeLDAPS.cer -out mOrangeLDAPS.pem
      This creates the certificate file in a form that OpenLDAP Client Library can use.
    • Place the .pem file generated in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)
    • Add the following line to your ldap.conf file:

      TLS_CACERT C:\openldap\sysconf\mOrangeLDAPS.pem
    • This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.
  • For Linux:
    Run the following command to install the Openssl.
    • For Ubuntu:
      • sudo apt-get install openssl

    • For RHEL/CentOS:
      • yum install openssl

    • Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:

      For example:
      /openssl x509 -in mOrangeLDAPS.cer -out mOrangeLDAPS.pem
      This creates the certificate file in a form that OpenLDAP Client Library can use.
    • Place the .pem file generated in a directory of your choosing (/etc/openldap/ may be a good choice since that directory already exists.)
    • Add the following line to your ldap.conf file:

      TLS_CACERT /etc/openldap/mOrangeLDAPS.pem
    • This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.
  • Restart your web server.

2.2: Install certificate in JAVA Keystore.

  • Run the following command to install the certificate in cacerts.
  • For Windows:
    • keytool -importcert -alias "mOrangeLDAPS"
      -keystore "C:\Program Files\Java\jre1.8.0_231\lib\security\cacerts"
      -file "C:\Users\Administrator\Documents\mOrangeLDAPS.cer"

  • For Linux:
    • keytool -importcert -alias "mOrangeLDAPS"
      -keystore "/usr/java/jdk1.8.0_144/jre/lib/security/cacerts"
      -file "/home/mOrangeLDAPS.cer"

  • Restart your web server.

Why Our Customers choose miniOrange Secure Identity Solutions ?


24/7 Support

miniOrange provides 24/7 support for all the Secure Identity Solutions. We ensure high quality support to meet your satisfaction.

Try Now

Affordable Pricing

miniorange provides most affordable Secure Identity Solutions for all type of use cases and offers different packages based on customer's requirement.

Request A Quote


We offer Secure Identity Solutions for Single Sign-On, Two Factor Authentication, Adaptive MFA, Provisioning, and much more. Please contact us at -

   +1 978 658 9387 (US)   ,   +91 77966 99612 (India)    |       info@xecurify.com