 |
 |
Hi Thanks to those who responded to our requests for help on this with several helpful options. I just thought I'd summarise our findings in case anyone else is in our shoes: One site uses a "real" certificate in their LDAP servers, which we looked into but hit issues with our AD domain not being named the same as our "proper" domain name. We could have obtained a certificate but it would have been less easy and would then be shortlived (2 year). What we did find was that the microsoft instructions for this are way OTT and you can very simply install the AD certificate services role onto the appropriate DC and just issue a long life self signed certificate for the LDAP server. We've since used that to issue FIM certificates and this is quite adequate. The huge infrastructure that the documentation was leading us to seems to be totally unnecessary for what we want to do. Cheers Andy ________________________________ From: Andy Swiffin Sent: 14 January 2013 16:27 To: [log in to unmask] Subject: Certificate Authority in an AD tree When we started moving things over to AD, we were slightly surprised to find the LDAP servers don't do 636 out of the box and started looking at generating a certificate for them, only to find we had yet to install a CA. We've started to look into AD certificate services and its all a bit bemusing. It seems to be telling us that we need to do all kinds of stuff like install a separate server with the root CA on which is usually turned off, we need to have more servers as Enterprise subordinate issuing CAs, and more as Online Responders and on and on and on..... Is all this necessary? As I see it I want: a CA from which I want to issue a certificate for a LDAP server. (maybe two or three more as we migrate more things over to it), . <period!> Can I not do this on just one server, (one of the DCs), do I need all of this other stuff? All I want to do is secure an LDAP server. The University of Dundee is a registered Scottish Charity, No: SC015096