Back to blog

How to Install a Self-Signed Certificate on a Domain Controller Using PowerShell

4 min read By Signifium

Guides

Active DirectoryLDAPSPowerShellself-signed certificatedomain controllerWindows Server

For LDAPS (LDAP over TLS, typically port 636), Active Directory needs a certificate with the Server Authentication extended key usage. In a lab or short-term test, you can create a self-signed certificate on the domain controller, copy it into the NTDS service certificate store (so directory services use it for LDAPS), and add it to the Trusted Root store on the same machine so local validation succeeds.

This article provides a single PowerShell script you run as Administrator on the DC. For production or enterprise PKI (AD CS, public CA, certreq), see our broader guide: How to Install an SSL Certificate on an Active Directory Server.

Prerequisites

  • Run the script on the domain controller where you want LDAPS.
  • Windows PowerShell or PowerShell 7, elevated (Administrator).
  • Use a DNS name clients will use to connect (for example the DC’s FQDN), passed as -certname.

What the script does

  1. Creates a self-signed certificate in Local Machine → Personal (Cert:\LocalMachine\My) with Server Authentication EKU and your chosen lifetime (1–3 years).
  2. Copies the certificate into the NTDS registry-backed store so LDAP/LDAPS can bind the cert for port 636.
  3. Adds the same certificate to Trusted Root Certification Authorities on the local machine (typical for self-signed lab scenarios on the DC itself).
  4. Restarts the NTDS (Active Directory Domain Services) service so the change is picked up.

Client trust: Mobile or other clients must still trust this certificate (install the cert or your CA). Self-signed certs are not suitable for most production deployments without a managed trust story.

Parameters

ParameterDescription
-certnameRequired. DNS name for the certificate (e.g. dc01.contoso.com). Should match what clients use for LDAPS.
-cert_years_toexpireRequired. Validity in years, 1–3.

Script: install-ldaps-cert.ps1

Save the following as install-ldaps-cert.ps1 (or paste into an elevated PowerShell ISE / editor), then run from an elevated prompt.

#Requires -RunAsAdministrator
<#
.SYNOPSIS
    Creates a self-signed certificate and installs it for LDAPS (port 636) by copying into the NTDS service store.
    Run on the domain controller.
.EXAMPLE
    .\install-ldaps-cert.ps1 -certname "lab-dc1.signifium.com" -cert_years_toexpire 2
.EXAMPLE
    .\install-ldaps-cert.ps1 -certname "dc1.signifium.com" -cert_years_toexpire 1
#>

param(
    [Parameter(Mandatory = $true)]
    [string]$certname,
    [Parameter(Mandatory = $true)]
    [ValidateRange(1, 3)]
    [int]$cert_years_toexpire
)

$ErrorActionPreference = 'Stop'

Write-Host "Starting Script ..."

$date_now = Get-Date
$cert_expirydate = $date_now.AddYears($cert_years_toexpire)

# Create cert in LocalMachine\My with Server Authentication EKU for LDAPS
$servercert = New-SelfSignedCertificate `
    -CertStoreLocation cert:\LocalMachine\My `
    -DnsName $certname `
    -Subject "CN=$certname" `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -HashAlgorithm SHA256 `
    -KeyUsage DigitalSignature, KeyEncipherment `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") `
    -NotAfter $cert_expirydate

$thumbprint = ($servercert.Thumbprint | Out-String).Trim()
Write-Host "Certificate generated with thumbprint: $thumbprint"

# Copy cert registry key into NTDS service store (so LDAP uses it for LDAPS)
$certStoreLoc = 'HKLM:\Software\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates'
$sourcePath = "HKLM:\Software\Microsoft\SystemCertificates\My\Certificates\$thumbprint"
if (!(Test-Path $certStoreLoc)) {
    New-Item -Path $certStoreLoc -Force
}
Copy-Item -Path $sourcePath -Destination $certStoreLoc -Force
Write-Host "Certificate added to the NTDS service store (LDAPS)."

# Copy cert to Trusted Root Certificate Authorities
Write-Host "Copying certificate to Trusted Root Certificate Authorities..."
$newcert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint }
$DestStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('Root', 'LocalMachine')
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($newcert)
$DestStore.Close()
Write-Host "Certificate added to Trusted Root Certificate Authorities."

# Restart NTDS so LDAPS picks up the new cert
Write-Host "Restarting NTDS (Directory Services)..."
Restart-Service NTDS -Force
Write-Host "Script completed. LDAPS (port 636) should now use this cert. Connect to ldaps://${certname}:636"

Example

.\install-ldaps-cert.ps1 -certname "dc01.contoso.com" -cert_years_toexpire 2

Verify LDAPS

On the DC or a client:

Test-NetConnection -ComputerName dc01.contoso.com -Port 636

Use ldp.exeConnection → connect to the FQDN, port 636, SSL checked. For more checks and common issues, see Test and troubleshoot LDAPS in the main SSL guide.

Mobile directory clients

Tools such as ADSignify use LDAP/LDAPS; the device must trust the server certificate. After deploying this self-signed cert, distribute the public certificate (or your PKI root) to clients as your security model requires. The ADSignify configuration section links to these guides.

This script is intended for lab and administrative testing. Evaluate certificate lifecycle, key protection, and client trust before using similar approaches in production.