The procedures shown should work with Windows 2012 and Windows 2016.
The reason for writing this is because I use a trial version Windows 2012 server to test Active Directory integration with Ansible Tower , Netbox, and Cumulus Linux Authentication. In some cases I need to setup a secure LDAPS connection.
An Active Directory server requires a valid SSL certificate and the root certificate authority certificate placed on the server before Microsoft Windows automatically enables LDAPS (port 636).
If you have limited compute and time resources on your Linux servers, like me, it is not possible to setup a Microsoft CA server and Microsoft Active directory Virtual Machines. So instead an external certificate authority (CA) is used. In this example the ancient CA.pl perl script is used. Still works after all these years! It is lightweight and requires only 1 Windows Server VM to be configured, i.e the Active Directory server.
A Microsoft CA cannot coexist with Microsoft AD on the same Windows Server
Workflow
Create the External Certificate Authority (CA)
Install the openssl package containing the CA.pl script onto the Linux hypervisor.
yum install openssl-perl (Centos/RHEL)
dnf install openssl-perl (Fedora 25+)
apt-get install openssl (Debian/Ubuntu)
Create the Certificate Authority. Review the CA.pl to see where the certificates are installed. The variable is called $CATOP.
% sudo /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
......+++
........+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: [enter password]
Verifying - Enter PEM pass phrase: [enter matching password]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:North Carolina
Locality Name (eg, city) []:Durham
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxSimba
Organizational Unit Name (eg, section) []:Dept of Work
Common Name (e.g. server FQDN or YOUR name) []:Server Admin
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [blank hit return]
An optional company name []: [blank hit return]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 12757355171169984766 (0xb10b3aefd31460fe)
Validity
Not Before: May 13 01:03:32 2017 GMT
Not After : May 12 01:03:32 2020 GMT
Subject:
countryName = US
stateOrProvinceName = North Carolina
organizationName = LinuxSimba
organizationalUnitName = Dept of Work
commonName = Server Admin
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54
X509v3 Authority Key Identifier:
keyid:E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until May 12 01:03:32 2020 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Set the Windows Server Name
This step assumes that Active directory is not configured yet. If it is, delete the server VM and start from scratch. Changing the hostname after installing Active Directory is not an easy thing.
Use Powershell to set the Windows Server name.
$ Rename-Computer -NewName linuxsimbaAD"
$ Restart-Computer -Force
Install Windows Active Directory
Install the Active Directory and DNS Windows Features. PowerShell commands shown below:
$ install-windowsfeature -name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools -ComputerName "linuxsimbaAD"
$ install-windowsfeature -name "dns" -IncludeAllSubFeature -IncludeManagementTools -ComputerName "linuxsimbaAD"
Then install Active Directory Services. After that the server reboots.
$ Import-Module ADDSDeployment
$ Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName "linuxsimba.local" `
-DomainNetbiosName "LINUXSIMBA" `
-ForestMode "WIN2012R2" `
-InstallDns:$true `
-safemodeadministratorpassword (convertto-securestring 1q2w3e4r5t! -asplaintext -force) `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
Create the Windows Server CSR
From the Microsoft Technet article about using external CAs, create a request.inf file. In this example, the CSR looks like this:
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=linuxsimbaAD.linuxsimba.local" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------
Then create a Certificate Signing Request(CSR) from the request.inf file.
$ certreq -new request.inf newreq.pem
Copy the newreq.pem file back to the Linux hypervisor where the Certificate authority resides.
Sign the Windows Server CSR
Use the new CA on the Linux hypervisor to sign the certificate. The name of the CSR should be newreq.pem.
$ sudo /usr/lib/ssl/misc/CA.pl -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 12757355171169984767 (0xb10b3aefd31460ff)
Validity
Not Before: May 13 02:54:29 2017 GMT
Not After : May 13 02:54:29 2018 GMT
Subject:
commonName = linuxsimbaAD.linuxsimba.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0F:6E:E7:20:5A:53:4D:93:82:6A:A8:9F:41:39:1A:92:A5:60:23:9F
X509v3 Authority Key Identifier:
keyid:E9:97:DD:5D:EE:92:94:31:6F:A1:72:03:9B:CB:9B:94:85:72:74:54
Certificate is to be certified until May 13 02:54:29 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
$ cp newcert.pem ldapcert.pem
$ cp demoCA/cacert.pem cacert.pem
Copy the Server Certificate and Root Certificate back into the Windows Servers
Copy ldapcert.pem (LDAP Server SSL Certificate) and cacert.pem (CA SSL Certificate) to the Windows Server Virtual Machine. Then use the following Powershell command to install the Root certificate
Import-Certificate -FilePath C:\users\vagrant\cacert.pem -CertStoreLocation Cert:\LocalMachine\Root
Next install the server certificate into the servers personal SSL store
Import-Certificate -FilePath C:\users\vagrant\ldapcert.pem -CertStoreLocation Cert:\LocalMachine\My
Make sure to check the time on the server. Wrong time could result in the certificate becoming invalid and LDAPS will not work.
Finally Restart the Server
Verify LDAPS connection
After the Windows Server restart LDAPs should be working. Here are some steps to verify if its working.
- Start
ldp.exeon the Windows server
-
Output from a working server
-
View of the valid Server Certificate
Reference
Written with StackEdit.