Child pages
  • How To Setup LDAPS

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


  1. Download OpenSSL

    2. Use the EXE option for Win64 OpenSSL v1.1.1 d Light.

  2. Install OpenSSL

    1. Accept the license agreement and click next.

    2. Use the default location and click next.

    3. Select "The Windows system directory "

    4. Click Install
    5. Un-check donation options then click finish.

  3. Add OpenSSL to the system path

    1. Open system from the control panel.

    2. Click on Advanced system settings.

    3. Click on environment variables.

    4. Edit Path in the system variables section.

    5. Click New.

    6. Enter the path to OpenSSL

    7. Click ok to exit the edit environment variable window.

    8. Click ok to exit the environment variable window.

    9. Click ok to exit System Properties.

    10. Open CMD and type OpenSSL to verify the path is working correctly.

Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

The contents of the below instructions have been taken from Peter Mescalchin's article, Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers.


Create root certificate

Using OpenSSL, create new private key and root certificate. Answer country/state/org questions as suitable:


Hold onto the resulting ca.key and ca.crt.

Import root certificate into trusted store of domain controller

  • From the active directory server, open Manage computer certificates.
  • Add the generated ca.crt to the certificate path Trusted Root Certification Authorities\Certificates.
  • Done.

Create client certificate

We will now create a client certificate to be used for LDAPS, signed against our generated root certificate.


  • Create v3ext.txt containing the following:

  • Create a certificate client.crt from certificate request client.csr and root certificate (with private key):

     $ openssl x509 \
     	-req -days 3650 \
     	-in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt \
     	-set_serial 01 -out client.crt
  • Verify generated certificate:

     $ openssl x509 -in client.crt -text
  • Ensure the following X509v3 extensions are all present:

    • X509v3 Key Usage: Digital Signature, Key Encipherment
    • X509v3 Extended Key Usage: TLS Web Server Authentication
    • X509v3 Subject Key Identifier

Accept and import certificate

  • From the active directory server with client.crt present, run the following:

     C:\> certreq -accept client.crt
  • Open Manage computer certificates, the new certificate should now be present under Personal\Certificates. Ensure that:

    • Certificate has a private key association.
    • The "Intended Purposes" is defined as "Server Authentication".
    • Certificate name is the FQDN of the active directory server.

Reload active directory SSL certificate

Alternatively you can just reboot the server, but this method will instruct the active directory server to simply reload a suitable SSL certificate and if found, enable LDAPS:

  • Create ldap-renewservercert.txt containing the following:

     changetype: modify
     add: renewServerCertificate
     renewServerCertificate: 1
  • Run the following command:

     C:\> ldifde -i -f ldap-renewservercert.txt

Test LDAPS using ldp.exe utility

  • From another domain controller, firstly install our generated root certificate ca.crt to the certificate path Trusted Root Certification Authorities\Certificates.

  • Open utility:

     C:\> ldp.exe
  • From Connection, select Connect.

  • Enter name of target domain controller.

  • Enter 636 as port number (this is the LDAPS port).

  • Click OK to confirm the connection works.

  • You're all done!