Renew SSL Certificate for Domain Controller LDAPS
If you have created SSL certificate for LDAP over SSL on Domain Controller thru internal Microsoft Standalone CA as shown in LDAP over SSL for Domain Controller article, you might face the problem in renewing this certificate using MMC/GUI.
When you try to Renew This Certificate With The Same Key using the certificate mmc, you will get the following error:
The request contains no certificate template information.
1. From the Domain Controller that you need to renew the certificate, find the certificate thumbprint. Below are the steps for find the certificate thumbprint
a.) Open the Microsoft Management Console (MMC) snap-in for certificates.
b.) In the Console Root window's left pane, click Certificates (Local Computer).
c.) Expand the Personal folder
d.) Expand the Certificates folder
e.) Double-click on your target certificate.
f.) In the Certificate dialog box, click the Details tab.
g.) Scroll through the list of fields till you find the Thumbprint.
h.) Copy the hexadecimal characters from the box. For example, the thumbprint "a1 29 53 2e 12 3f 3d 35 53 2c f2 53 26 c2 4d 27 33 b2 6b 3c".
2. Create cert-renew.inf as shown below and paste the certificate thumbprint you gathered in the previous step for RenewalCert. Make sure you put in open and close quote if the certificate thumbprint have space in between
|;----------------- cert-renew.inf -----------------[Version]Signature="$Windows NT$"[NewRequest]
Subject = "CN=servername.domain.local" ; replace with the FQDN of the DC
3. Go into cmd prompt, create the certificate request
certreq -new cert-renew.inf cert-renew.req
4. Submit Certificate request to internal stand-alone CA
certreq -submit cert-renew.req
You will notice the RequestID will be provided if the certificate request successfully submitted to internal CA
5. Approve the certificate for the internal CA
6. Back to the Domain Controller that request for for certificate. Retrieve the certifcate
certreq -retrieve RequestID cert-renew.cer
7. Accept the certificate in your machine
certreq -accept cert-renew.cer