Active Directory requires a server certificate to secure communications to the directory over LDAPS. The following procedure describes how to to create a certificate signing request (CSR) an Active Directory server certificate. A CSR contains information that the issuing CA will use to create the certificate. Entrust PKI as a Service or an on-premises CA can process the CSR and issue the certificate.
To create a CSR for an Active Directory server certificate
- Log into Active Directory as a member of the Domain Admins group.
- Run
mmc.exe(Select Start > Windows System > Run, then entermmc.exe).
The Microsoft Management Console appears.
- Select File > Add/Remove Snap-in.
The Add or Remove Snap-ins dialog box appears.
- In the Available snap-ins list, select Certificates.
- Click Add.
The Certificates snap-in dialog box appears.
- Select Service account.
- Click Next.
The Select Computer dialog box appears.
- Select Local computer.
- Click Next.
The Certificates snap-in dialog box reappears.
- Select Active Directory Domain Services.
- Click Finish.
The Certificates snap-in as added to the list of Selected snap-ins. - Click OK.
The Certificates snap-in appears in the Microsoft Management Console.
- In the tree view, select Certificates > NTDS\Personal.
- Select Action > All Tasks > Advanced Operations > Create Custom Request.
The Certificate Enrollment wizard appears.
- Click Next.
The Select Certificate Enrollment Policy page appears.
- Under Configured by your administrator, select Active Directory Enrollment Policy.
- Click Next.
The Custom request page appears.
- In the Template drop-down list, select (No template) CNG key.
- For Request format, select PKCS #10.
- Click Next.
The Certificate Information page appears.
- Click Next.
The Where do you want to save the offline request? page appears.
- In the File Name field, enter the path and file name for the CSR, or click Browse to select a location.
- For File format, select Base 64.
- Click OK.