Create a self signed certificate on Windows Domain Controllers – Automated

by

Windows Certificate Services can create certificates for all devices in your organization. However, at times you may need just one certificate to install on a Domain Controller. In this blog, I am going to explain the process to install a Self Signed Certificate on a domain controller using  an automated way. See the last blog for an automated way –https://www.signifium.com/2020/08/18/create-a-self-signed-certificate-on-windows-domain-controllers-manual

Automated process

Microsoft used to provide a tool to create self signed certificates, however today you can use powershell commands to do the same. In this process, I will explain how to create the certificate using powershell script to prepare your Active Directory for LDAPS or LDAP over SSL.

 

  1. Launch Powershell on the domain controllers as an administrator.
  2. Before you run the script below you need to know following information
    1. certname – This will be the name of the certificate. Use the same name as your domain controller name. In my example I have used “dc1.signifium.com”
    2. cert_years_toexpire – Use an integer like 1, 2 or 3 to set the life of your certificate.
    3. Copy the following script to your domain controller as Install-DC-Cert.ps1  Param (
    5.      
    7.      
    9.       [parameter(Mandatory=$true)]
    11.       [string]$certname,
    13.       [parameter(Mandatory=$true)]
    15.       [ValidateRange(0,3)]
    17.       [string] $cert_years_toexpire
    19.      
    21.        
    23. )
    25. Write-Host “Starting Script … “
    27. $date_now = Get-Date
    29. $cert_expirydate = $date_now.AddYears($cert_years_toexpire)
    31. $certStoreLoc=’HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates’
    33. $servercert=New-SelfSignedCertificate  -CertStoreLocation cert:/LocalMachine/My -DnsName $certname -NotAfter $cert_expirydate
    35. $thumbprint=($servercert.Thumbprint | Out-String).Trim();
    37. Write-Host “Certificate generated with thumbprint : $thumbprint”
    39. if (!(Test-Path $certStoreLoc)){
    41. New-Item $certStoreLoc -Force;
    43. };
    45. Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc;
    47. Write-Host “Certificate added to the personal store in local computer”
    49. Write-Host “Copying certificate to Trusted Root Certificate Authorities”
    51. $newcert = dir Cert:\LocalMachine\My | where {$_.Thumbprint -eq $thumbprint}
    53. $DestStoreScope = ‘LocalMachine’
    55. $DestStoreName = ‘root’
    57.  
    59. $DestStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $DestStoreName, $DestStoreScope
    61. $DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
    63. $DestStore.Add($newcert)
    65. $DestStore.Close()
    67. Write-Host “Certificate added to Trusted Root Certificate Authorities”
    69. Write-Host “Script completed.”
       
  1. Run the script (Replace my names with your names)
    .\ Install-DC-Cert.ps1 -certname signi-dc1.signifium.com -cert_years_toexpire 3

It is time to connect using the ADSignify App to verify if SSL is working. Enjoy the freedom to manage AD from anywhere.

Leave a Comment