How To Install SSL Certificates In Active Directory - ManageEngine

• Website
• Support
• Live Demo
• Forums

• 
• Knowledge Base

Active Directory How-To pages Active Directory Auditing Tool Get Your Free Trial Free, fully functional 30-day trial Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

• Live Demo
• Free Edition
• Download Now

Account Management » Active Directory How-To pages

How to install SSL certificates in Active Directory?

Active Directory read and write requests made across the network can be made secure using SSL. It requires a CA (Certificate Authority) certificate. This article explains the steps to be followed while configuring SSL certificate in Active Directory.

Prerequisites to install SSL certificates:

• Internet Information Services - IIS is required before you install Windows Certificate services.
• Windows Certificate services.

Steps to install SSL certificate:

Step 1: Install Active Directory Certificate Services

• Log into your Active Directory Server as an administrator.
• Open Server Manager → Roles Summary→ Add roles.

  

• In the Add Roles Wizard, select Server Roles. From the options listed, select Active Directory Certificate Services, and click next. In the next screen, click Next again to proceed.

  

• On the next page, select Certification Authority role service to issue and manage certificates.

  

• In the Specify Setup Type page, select Enterprise as your server is a part of the AD environment. Click Next.

  

• Next is the "Specify CA Type" page. If this is your first CA, select Root CA. Else, select Subordinate CA.

  

• Set the private key to be used for this CA.Since this is a new CA, select "Create a new private key" and click Next. In the next screen, click Next again to proceed.

  

• On the next page, choose a common name and a distinguished name suffix for your CA. Check the preview of your CA's complete distinguished name, then click Next if you are satisfied with your selections.

  

• In the "Set validity page", accept the default value or set a validity period of your own. The CA will issue certificates that are valid only till this period.

  

• Select a location for storing the Certificate database and the Certificate database logs.

  

• Confirm your installation configurations and click Install. Once the installation is completed successfully, close the wizard.

  

Step 2: Obtain the server certificate

After installing the Certification Authority, you now need to add the SSL certificates that are used by your application servers to the list of accepted certificates.

The Active Directory certificate is automatically generated and stored in the root of the C drive. To export the certificate, execute this command on the server: certutil -ca.cert client.crt

Step 3: Import the server certificate

The certificate has to be imported into your Java Runtime Environment for an application server to trust your AD certificate. The JDK stores trusted certificates in a file called a keystore. The default keystore file is called cacerts and it is stored in the jre\lib\security sub-directory of your Java installation. Run the following commands on your server to import the certificates.

• Navigate to the directory in which Java is installed. cd /d C:\Program Files\Java\jdk1.5.0_12
• Run the command mentioned below, where server-certificate.crt is the name of the file from your directory server. keytool -importcert -keystore .\jre\lib\security\cacerts -file server-certificate.crt
• Enter the default keystore password changeit when prompted.
• When prompted Trust this certificate? [no]: enter yes to confirm the key import:

  Enter keystore password: changeit Owner: CN=ad01, C=US Issuer: CN=ad01, C=US Serial number: 15563d6677a4e9e4582d8a84be683f9 Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012 Certificate fingerprints: MD5:D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE SHA1:73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1 Trust this certificate? [no]: yes Certificate was added to keystore

• Change 'URL' to use LDAP over SSL and use the 'Secure SSL' option when connecting your application to your directory server.

Once the certificate has been imported as per the above instructions, you will need to restart the application to apply the changes made.

Explore Active Directory auditing and reporting with ADAudit Plus.

• By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.

Account Management Auditing

• Track User Administrators
• User Management Reports
• Insider Threat Detection

Active Directory Auditing

• Monitor User Logon Actions
• GPO Settings Auditing
• IT Compliance Auditing

Windows Server Auditing

• Windows Member Server Auditing
• Windows File Integrity Monitoring
• Security Eventlog Monitoring

• Related Products
  • ADManager Plus Active Directory Management & Reporting
  • ADAudit Plus Real-time Active Directory Auditing and UBA
  • EventLog Analyzer Real-time Log Analysis & Reporting
  • ADSelfService Plus Self-Service Password Management
  • AD360 Integrated Identity & Access Management
  • Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
  • AD Free Tools Active Directory FREE Tools