Create Internal CA for Windows LDAPs and Linux apps

pmoncho

Trying to figure out the best plan of action to comply with Microsoft's LDAPS requirement in the near future.

I have .local domain with multiple RDS servers, MS file server, Sonicwall SSL-VPN appliance, few internal Linux apps and in the near future, create Nextcloud and Bookstack servers. Other than the SSL-VPN, all servers will be accessed internally. Clients access the RDS server through the SSL-VPN

Choices to make based on current setup and ton of reading:

A. Setup an internal CA
From all the reading I have done, "best practices" state to have an offline root CA (non-domain joined, powered off) and use subordinate CA's to create certs for end devices. If both are on Windows Server, I have to blow two windows licenses (ugh. don't really want to do that).

B. Create Self-signed cert on a DC, import self-signed cert into Linux machines and SSL-VPN. Not the best solution. Tested SS-Cert for SSL-VPN in my lab and it worked fine. This has pitfalls as I have to import multiple certs all over the place. Sucks but doable.

C. Create an ad.domain.com UPN, then get a wildcard cert from public CA and adjust DNS (I believe I need to create a new zone). I don't know the ramifications of using a UPN.

D. Other options???

JaredBusch

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

pmoncho

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

That is what I keep thinking. In this situation, I believe it makes the most sense.

I will setup and keep the root CA / Subordinate CA stuff in my lab.

Dashrender

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

You have to install that Self Signed on all endpoints, right? I know you can use GP to do this for Windows.

pmoncho

@Dashrender said in Create Internal CA for Windows LDAPs and Linux apps:

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

You have to install that Self Signed on all endpoints, right? I know you can use GP to do this for Windows.

I believe I only need to manually install it on endpoints that will use LDAP/LDAPS. Unless I am missing something, It will be the SSL-VPN and Linux servers as they will use LDAPS. I believe all windows servers/desktops in the domain will use Kerberos, correct?

Dashrender

@pmoncho said in Create Internal CA for Windows LDAPs and Linux apps:

@Dashrender said in Create Internal CA for Windows LDAPs and Linux apps:

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

You have to install that Self Signed on all endpoints, right? I know you can use GP to do this for Windows.

I believe I only need to manually install it on endpoints that will use LDAP/LDAPS. Unless I am missing something, It will be the SSL-VPN and Linux servers as they will use LDAPS. I believe all windows servers/desktops in the domain will use Kerberos, correct?

Awww.. yes, I get it.

pmoncho

Created the another self-signed cert for my lab using (added 2nd DC to same cert):

New-SelfsignedCertificate -dnsname dc01.domain.local, dc02.domain.local -HashAlgorithm SHA256 -KeyUsage KeyEncipherment,DataEncipherment -KeyUsageProperty ALL -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -NotAfter (get-date).AddYears(10)

Copied the key into the trusted root store and exported the public key. Imported .DER key into Sonicwall and all seems well to dc01.

I figure I have to get the key into dc02's trusted root store also. When I export the key, I want to export the private key as well?

JaredBusch

@pmoncho said in Create Internal CA for Windows LDAPs and Linux apps:

When I export the key, I want to export the private key as well?

That depends. If you are only ever going to have devices using the key to auth against the DC that you created it on, then no.

But if you need to install the cert on a device and then have another device auth to that first device, then that first device needs the private key.

pmoncho

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

@pmoncho said in Create Internal CA for Windows LDAPs and Linux apps:

When I export the key, I want to export the private key as well?

That depends. If you are only ever going to have devices using the key to auth against the DC that you created it on, then no.

But if you need to install the cert on a device and then have another device auth to that first device, then that first device needs the private key.

Thank you for the explanation.