Create certificate with makecert for LDAPS on a DC ?

Hi,

I would like to use LDAPS on my DC.
I have already read this article :
http://support.microsoft.com/default.aspx/kb/321051 ...

but I am not able to create my self-signed certificate with certreq as
I dont have any CA in my domain to submit the "request.req" file.

So I tried to create my own certificate with makecert by using this
command :
"makecert -r -pe -n "CN=FQDN_OF_DC.domain.local" -b 01/01/2000 -e
01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange
-sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"

The certificate is created in Personal\Certificates (under Computer)
but when I watch the certificate status, I have a warning saying :
"This CA Root certificate is not trusted because it is not in the
Trusted Root Certification Authorities store.".

When I try to connect (locally)to my LDAPS using ldp.exe , I have an
error "Error <0x51>: Fail to connect to FQDN_OF_DC.domain.local."

Do you think I have this problem because of the fact the certificate
that I have created has not been delivered by a Trusted root CA store ?

Is there a way to bypass this limitation by creating a self signed
certificate for my DC that will let me try to use LDAPS ?

Thank you :)

P.S: Sorry for my english ;-)

--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security

Finally it works !

I have deleted every certs then I have created them by using the
command quoted below.

After a reboot of the DC, the LDAP over 636 is working fine !

Thank you
> Hi,
>
> I would like to use LDAPS on my DC.
> I have already read this article :
> http://support.microsoft.com/default.aspx/kb/321051 ...
>
> but I am not able to create my self-signed certificate with certreq as I dont
> have any CA in my domain to submit the "request.req" file.
>
> So I tried to create my own certificate with makecert by using this command :
> "makecert -r -pe -n "CN=FQDN_OF_DC.domain.local" -b 01/01/2000 -e 01/01/2036
> -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft
> RSA SChannel Cryptographic Provider" -sy 12"
>
> The certificate is created in Personal\Certificates (under Computer) but when
> I watch the certificate status, I have a warning saying : "This CA Root
> certificate is not trusted because it is not in the Trusted Root
> Certification Authorities store.".
>
> When I try to connect (locally)to my LDAPS using ldp.exe , I have an error
> "Error <0x51>: Fail to connect to FQDN_OF_DC.domain.local."
>
> Do you think I have this problem because of the fact the certificate that I
> have created has not been delivered by a Trusted root CA store ?
>
> Is there a way to bypass this limitation by creating a self signed
> certificate for my DC that will let me try to use LDAPS ?
>
> Thank you :)
>
> P.S: Sorry for my english ;-)

--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security