how to get ssl certificate for ldap for MS Active directory

am new to LDAP / Active Directory environment.

am trying to connect with LDAP / Active Directory using SSL support.

to connect LDAP/Active Directory, SSL certificate is required to establish the connection.

I have been googling, and most of the result is to "create a certificate using Microsoft CA (certificate authority)". Is this is the only way to generate a certificate for LDAP/Active Directory?

How can i get SSL Certificate for LDAP / Active Directory? Is there any other way to get the SSL Certificate for LDAP/Active Directory?

You can get a certificate from any CA. You can even create a certificate yourself, although you must only use such a certificate for development purposes, not for a live domain controller.

For a production environment, what CA to use kinda depends on who will be accessing the domain controller. For instance, if you only want to use LDAPS within a company intranet, you can setup a CA for your own company, and add its root certificate to the trusted certificates of all systems within your company intranet. Then you request a certificate from your own CA as outlined here. Install the certificate in the domain controller's personal certificate store. Active Directory will now use this certificate to identify itself when accessing it through LDAPS. Systems in your intranet will authenticate the domain controller's identity by verifying that its certificate was issued by your company's CA, which they trust.

If you need more help, you need to give us details like what kind of applications will be using LDAP, whether the domain controller will only be accessible in the intranet, and if so, why you want to secure it.

Stephan van Hulst wrote:You can get a certificate from any CA. You can even create a certificate yourself, although you must only use such a certificate for development purposes, not for a live domain controller.

For a production environment, what CA to use kinda depends on who will be accessing the domain controller. For instance, if you only want to use LDAPS within a company intranet, you can setup a CA for your own company, and add its root certificate to the trusted certificates of all systems within your company intranet. Then you request a certificate from your own CA as outlined here. Install the certificate in the domain controller's personal certificate store. Active Directory will now use this certificate to identify itself when accessing it through LDAPS. Systems in your intranet will authenticate the domain controller's identity by verifying that its certificate was issued by your company's CA, which they trust.

If you need more help, you need to give us details like what kind of applications will be using LDAP, whether the domain controller will only be accessible in the intranet, and if so, why you want to secure it.

Thanks, Stephan.

I want your help in generating the certificate in a test environment.
I am aware that we can generate it using OpenSSL command...But I don't have knowledge like how can I create using OpenSSL I mean what is the procedure...
Do we require any tool or App to be installed in our system to generate the SSL certificate?

Thanks for your help...

Yes. On Windows you can use PowerShell. I think you could use the following command, but I haven't tried it out myself:
New-SelfSignedCertificate -Provider "Microsoft RSA SChannel Cryptographic Provider" -DnsName "my.domain.example.com" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -CertStoreLocation "cert:\LocalMachine\My"
Obviously, you need to replace the value of the -DnsName parameter.
Also take a look at these links:

How to enable LDAP over SSL with a third-party certification authority

New-SelfSignedCertificate

Generating self-signed certificates on Windows

Stephan van Hulst wrote:Yes. On Windows you can use PowerShell. I think you could use the following command, but I haven't tried it out myself:
New-SelfSignedCertificate -Provider "Microsoft RSA SChannel Cryptographic Provider" -DnsName "my.domain.example.com" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -CertStoreLocation "cert:\LocalMachine\My"
Obviously, you need to replace the value of the -DnsName parameter.
Also take a look at these links:

How to enable LDAP over SSL with a third-party certification authority

New-SelfSignedCertificate

Generating self-signed certificates on Windows

Thank you so much, Stephan.I will go through all the links you have provided and if any doubts I will post it.