Active Directory and Certificate Authority for the domain

[Dieselboy]

I have Windows Server 2012 R2 domain and a CA installed on separate VMs. In both of the domain controllers I can go to the certificates of the "local computer" and check the Personal store and find certs issued to each DC by the CA - this is good.

What I would like to do is edit the template that was used to issue these certificates so that the internal domain is added to the cert as a SAN. I did not do anything to get these certs automatically issued so I'm having some trouble finding out the mechanism that causes this.

Any of you guys know this?

I have checked the GPO for the default domain controllers policy and the "auto-enrollment" is not enabled. However I recently installed a new DC and that too has a cert issued by the CA. All of this is great of course... but I need to make a small edit

I have issued some certs manually but I believe that if I do this here, I'll have to go an manually re-install certs later near expiry.

The reason for this edit is that I have set up LDAPS and LDAP over TLS - it's working fine but on the application side we need to specify each DC individually so that the request matches the CN of the cert response. Compared with LDAP (no SSL) we can set up one "AD" server and use the hostname of internal.domain.com (so, just the domain portion) and because there's no validation required, the DNS lookup will round-robin the DCs and LDAP bind works perfect. I'm after the same config for LDAPS. I may be able to work around this by configuring the application to have 2 x Active Directories but I have a feeling that this will cause a problem, as the application will be syncing to both as separate directories.

[Dieselboy]

All domain controllers are hard coded to automatically enroll for a certificate based on the Domain Controller template if it is available for enrollment at a certificate authority in the forest. Hard coded in this case means it is in the code, it is not configured in any local or domain based policy. This is one of the few cases where Windows will auto-enroll for a certificate without auto-enrollment being configured in Group Policy.

And...

Unless you configure auto-enrollment; that is that. The DC will not auto-enroll for any other certificate on its own. However, if you do enable auto-enrollment, preferably at the domain level so the settings applies to all computers/users in your domain, the behavior changes.

[deanwebb]

How about issuing a second cert with the SAN you need and associate that with the LDAPS over TLS function?

Or does it not work that way?

[Dieselboy]

That was my original thought but I did not find out how to assign it to the application. So I did renew (request new cert using the new template) and used openssl to query the port and see what was offered back, and the new cert was offered. So I believe certs will supercede others if the conditions are right for it.

Used this command to query the port from bash.exe in windows 10:

Code Select Expand

openssl s_client -connect my.domain.controller.com:636

[Dieselboy]

It was not enough to just delete the old cert from the personal store on the DCs. Overnight, the previous cert was downloaded to the DC again and was sometimes used for connections and causing a validation failure because the domain name is not a SAN in the previous cert.

I had to revoke the cert on the CA and delete again from the personal trust store on the DC. Things looking good now.

[deanwebb]

Check the GPO to make sure it's not going to keep re-provisioning that old cert.