Generating the LDAPS TLS certificates
You can use the Entrust Certificate Services (ECS) portal to generate LDAPS TLS certificates for each domain. Follow the steps in Generating a PKCS #12 and select the following values.
|
Setting |
Value for LDAPS TLS certificates |
|
Certificate Authority |
Select the issuing CA described in Creating an Entrust-hosted Certificate Enrollment Gateway for WSTEP. |
|
Certificate Profile |
Select the multiuse-p12-key-encipherment-client-server certificate profile described in Multiuse certificate profiles. |
|
Subject DN |
Enter a CN matching the FQDN of the Domain Controller (for example: dc.example.com). |
|
Certificate Expiry |
Enter a period not exceeding 397 days. |
|
Subject Alternate Names |
All Subject Alternative Names must include a DNS matching the FQDN of the Domain Controller. |
If you generate the LDAPS TLS certificates with a non-ECS authority, ensure they are SHA-2, as SHA-1 certificates are not allowed due to their vulnerabilities.