How to: Create a Client Certificate for LDAPS with OpenSSL

Today I will introduce you my new article on how to create a client certificate with OpenSSL so that you can use it for LDAPS

You need to create two files in your new folder which we will need later on (I prefer notepad++ for the creation of my files):
1             1. Your request.inf file

2             2. Your v3ext.txt file

1.   Request.inf (save as .inf with notepad++)

 Signature="$Windows NT$"
 Subject = "CN=your-active-diretory.fqdn” f.ex : “” (enter the FQDN of your AD Server)
 KeySpec = 1
 KeyLength = 2048 (enter the key length with fits your need. Some say you need to take at leas 2048 to make LDAPS work)
 Exportable = TRUE
 MachineKeySet = TRUE
 PrivateKeyArchive = FALSE
 UserProtected = FALSE
 UseExistingKeySet = FALSE
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 ProviderType = 12
 RequestType = PKCS10
 KeyUsage = 0xa0

 OID = ; Server Authentication
 OID = ; KCD Authentication
 OID = ; Smart Card Logon
 OID = ; Client Authentication
(Enter the EnhancedKeyUsageExtension you need. Only Server auth won’t do the job I learned even if it’s a very common opinion in other articles about creating ldaps certificates)

1            2.  V3ext.txt

There are two ways to enter your extendedKeyUsage: as OID like or named like serverAuth (be aware that it is case sensitive. It’s important that is it serverAuth and not serverauth or something. If you write it wrong it won’t work)

A mix like in my screenshot will also work. Save it as .txt and proceed with the cmd commands.

Open your cmd as administrator and cd to your openssl folder

 Then run the first command which will create your keyfile:
openssl genrsa -des3 -out c:\certificate\ca.key 4096

-des3 specifies how the private key is encrypted. With a password. Without this option the key is not encrypted and you’ll need no password.

-out specifies the path where I want to store my key.

-Ca is how I called my keyfile. You are free to name it anyway you want

The key will be created and you’ll be asked to enter your passphrase

Afterwards enter the next command:

openssl req -new -x509 -days 3650 -key c:\certificate\ca.key -out c:\certificate\ca.crt

Then fill out the need information ( yellow):

You can leave the email address blank. This is recommended for ca certs.

Import your ca.cert on your domain controller in the Trusted Root Certification Authorities\Certificates

Afterwards we create the client certificate:
Run the command for your certrequest:

certreq -new c:\certificate\request.inf c:\certificate\client.csr

 Next command will create your client certificate:

openssl x509 -req -days 3650 -in c:\certificate\client.csr -CA c:\certificate\ca.crt -CAkey c:\certificate\ca.key -extfile c:\certificate\v3ext.txt -set_serial 01 -out c:\certificate\client.crt

If you named your file not like in my example, you need to change it the way you have it.
Also enter your key passphrase.

 At last accept the client certificate with following command:

certreq -accept c:\certificate\client.crt

That’s it.


Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

Remote use of Microsoft SysInternals: example Procdump

Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)