You can use the Entrust Certificate Services (ECS) portal to generate LDAPS TLS certificates for each domain. Follow the steps in Generating a PKCS #12 and select the following values.
Setting | Value for LDAPS TLS certificates |
|---|---|
Certificate Authority | Select the issuing CA described in Creating an Entrust-hosted Certificate Enrollment Gateway for WSTEP. |
Certificate Profile | Select the multiuse-p12-key-encipherment-client-server certificate profile described in Multiuse certificate profiles. |
Subject DN | Enter a CN matching the FQDN of the Domain Controller (for example: dc.example.com). |
Certificate Expiry | Enter a period not exceeding 397 days. |
Subject Alternate Names | All Subject Alternative Names must include a DNS matching the FQDN of the Domain Controller. |
If you generate the LDAPS TLS certificates with a non-ECS authority, ensure they are SHA-2, as SHA-1 certificates are not allowed due to their vulnerabilities.