These instructions are for Microsoft Active Directory LDAP on a Windows Server 2012/2012R2.

For Microsoft Active Directory LDAP on a Windows Server 2008/2008R2 instructions, see
Microsoft Active Directory LDAP (2008): SSL Certificate Installation.

If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see Microsoft Active Directory LDAP (2012): SSL Certificate CSR Creation.

Microsoft Active Directory LDAP (2012): Installing Your SSL Certificate

To install the SSL Certificate on your Microsoft Active Directory LDAP server, complete the steps below.

Importing a SSL Certificate Using the DigiCert Certificate Utility

After we validate and issue your SSL Certificate, you can use the DigiCert® Certificate Utility for Windows to import the file to your Microsoft Active Directory LDAP server.

  1. On your Windows 20012/2012 R2 LDAP Server where you created the CSR, save the SSL Certificate .cer file (i.e. your_domain_com.cer) that DigiCert sent to you.

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.

    Import Certificate

  4. In the Certificate Import window, under File Name, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that DigiCert sent you, select the file, click Open, and then, click Next.

    Import Certificate

  5. In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

    We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

    Friendly Name

  6. Click Finish.

Exporting a SSL Certificate in .pfx Format Using the DigiCert Certificate Utility

After you import the SSL Certificate to your Microsoft AD LDAP server, use the DigiCert® Certificate Utility for Windows to export the SSL Certificate as a .pfx file.

  1. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  2. In DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL Certificate you want to export, and then, click Export Certificate.

    Export Certificate

  3. In the Certificate Export wizard, select Yes, export the private key, select pfx file, uncheck Include all certificates in the certification path if possible, and then, click Next.

    Apache Key File Export

  4. In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.

    Note:    You use this password when importing the SSL Certificate onto other Windows type servers or other servers or devices that accept a .pfx file.

    Password

  5. In the File name box, click to browse for and select the location and file name where you want to save the .pfx file, and then, click Finish.

    File Location

  6. After you receive the "Your certificate and key have been successfully exported" message, click OK.

    You have successfully exported your SSL Certificate as a .pfx file.

    Success Message

Microsoft AD LDAP (2012): Importing Your Certificate .pfx File into the AD DS Personal Store

Once you have your .pfx certificate file, use Microsoft Management Console (MMC) to import it into the Active Directory Domain Services Personal Store.

Importing the .pfx Certificate File

  1. Open the Microsoft Management Console (MMC) as an admin.

    • From the Windows Start screen, type mmc.

    • Right-click on mmc.exe.

    • In the menu at the bottom of the screen, click Run as administrator.

  2. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  3. In the MMC Console, click File > Add/Remove Snap-in.

    MMC Add or Remove Snap-in

  4. In the Add or Remove Snap-ins window, under Available snap-ins, select Certificates and then, click Add.

    Add or Remove Snap-ins window, add Certificates

  5. In the Certificates snap-in window, select Service account and then, click Next.

    Certificates snap-in window, select Service account

  6. In the Select Computer window, select Local computer: (the computer this console is running on) and then, click Next.

    Select Computer window, select Local computer

  7. In the Certificates snap-in window, select Active Directory Domain Services and then, click Finish.

    Certificates snap-in window, select Active Directory Domain Services

  8. In the Add or Remove snap-ins window, click OK.

    Add or Remove snap-ins window

  9. In the MMC Console, in the console tree, expand Certificates - Service (Active Directory Domain Services), right-click on NTDS/Personal, and select Import.

    MMC Console

  10. In the Certificate Import Wizard, on the Welcome to the Certificate Import page, click Next.

    Certificate Import Wizard Welcome page

  11. On the File to Import page, click Browse to browse for and select the .pfx certificate file (e.g. your_domain_com.pfx) that you exported using the DigiCert Certificate Utility, select the file, click Open, and then, click Next.

    Certificate Import Wizard File to Import page

  12. On the Password page, do the following:

    1. In the Password box, enter the password that you created when you exported the .pfx certificate file.

    2. Check Include all extended properties.

    3. Check Mark this key as exportable.

    4. Click Next.

    Certificate Import Wizard Password page

  13. On the Certificate Store page, leave the default settings and click Next.

    Default Settings:

    1. Place all certificates in the following store.

    2. Certificate store: NTDS\Personal

    Certificate Import Wizard Certificate Store page

  14. On the Completing the Certificate Import page, review your settings and then, click Finish.

    Completing the Certificate Import page

  15. All your client computers should now be able to make SSL connections to all your domain controllers in the forest.

Verify SSL Was Successfully Configured

  1. Open the LDP snap-in as and admin.

    • From the Windows Start screen, type ldp.

    • Right-click on ldp.exe.

    • In the menu at the bottom of the screen, click Run as administrator.

  2. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  3. In Ldp, click Connection > Connect.

    Ldp window Connect

  4. In the Connect window, do the following:

    • In the Server box, enter the hostname of to which you are connecting.

    • In the Port box, enter 636.

    • Check SSL.

    • Uncheck Connectionless.

    • Click OK.

    • Connect window

  5. The command output should display the user name and the domain name for the binding.

  6. If you receive the Cannot open connection message, LDAP-over-SSL binding is not configured properly.

    Cannot open connection message

  7. Click OK.

  8. Next, in LDP, click Connection > Bind.

    Ldp window Bind

  9. In the Bind window, click OK.

    Bind window

  10. The command output should now display the user name and the domain name for the binding.