We want to implement LDAPS and duplicate the certs so we can use additional SAN names. So I have been looking at implementing the Cert for this and am a little confused. Following these.
https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/
and
So you duplicate a cert that has Server Authentication. I get it. The links also say you should normally only have 1 cert that has this in the DCs personal store. All the DCS have two that have this. Kerberos Auth and Domain Controller Auth. These are added automatically so when they say you should only have 1 is that just one that you would add and not those that are already there from making it a DC?"You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. "
So when I duplicate the Kerberos cert and call it say LDAPSSL like in the guide, after you export this from the personal store and import it into the NTDS\Personal, do you delete the one in the local personal that you added? If so is changing the security right like below still needed? I guess what is confusing is both sites say to me different things.
"Add new ACE’s for each of the special DC’s (or possibly a security group with them in) that are to receive the custom certificates and ensure they have the “Read" and "Enroll” security right only. Check that no other entries include Enroll or Autoenroll except administrative user groups. Make sure you enable "Computer Objects" in the select objects prompt."
"Now that our new template for the "special" DC's is ready to go, open the original “Kerberos Authentication” template and the security tab. Add the Deny “Enroll” and "Auto Enroll" right to the special DC’s you are giving custom certificates to. This will stop them from getting the standard Kerberos Authentication certificates during the auto enrolment process."
I am guessing that you are adding enroll on the new cert and denying it on the original kerberos cert because it is being left here and you want clients to use one over the other? If
When creating the new cert is there any recommendation on what to select for the CSP or KSP? DCs are 2016 and most clients are W10 except for some W7. Any harm in just keeping it CSP. Honestly just not sure how to choose on this. Rest of the options I get.
Thx