How to install a certificate on Active Directory for Secure LDAP over TCP port 636

Aruba BLOG ClearPass

What is LDAPS (Lightweight Directory Access Protocol Over Secure Socket Links):

LDAPS is a distributed IP directory protocol like LDAP, but which incorporates SSL for greater security. The default port for an LDAPS service provider URL is 636. Among the two ports used for LDAP, TCP/UDP 389 and TCP 636, the latter is always recommended as it offers enhanced security and encryption.


Configuring LDAPS on your Domain Controller:

For your domain controller to support LDAPS, we will need to install a certificate that can be used for the SSL handshake. Therefore, before we proceed with the steps below, we assume that the Active Directory Certificate Services role has been installed already.

  1. Create a certificate template for LDAPS. Start by clicking on Start –> Certificate Authority:


AD Certification Authority


2. Expand the CA and select Certificate Templates. Right click and choose Manage:



3. Right click on the Kerberos Authentication template and select “Duplicate Template”:



4.  Since my Windows server version is Windows Server 2008 R2 Standard, I am choosing Windows Server 2008 Enterprise in the dialog box below. Note that Windows Server 2003 could be chosen and will still work fine:



5. Configure the General tab per the snapshot below and hit OK.



6. Now Right click on the Certificate Templates folder again and navigate to New –> Certificate Template to Issue:



7. Select the new template that we just created – LDAPS from this list and hit OK:



8. Now open the Run prompt and type mmc to open the Microsoft Management Console:



9. Select File –> Add/Remove Snap-in:



10. Select Certificate from the list of Available snap-ins and hit the Add button:



11. Choose Computer account and hit Next:



12. Leave the selection to Local Computer, hit Finish and then OK:



13. Now the Certificates tab would be available. Navigate to the Personal –> Certificate folder. Right click, select All Tasks –> Request New Certificate…



14. Hit Next on the “Before You Begin” screen and choose “Active Directory Enrollment Policy” on the next page:



15. Check the box against LDAPS and hit the Enroll button:



16. Now in the Certificates folder, you would see the new certificate generated:



17. Extended Key Usage for the new certificate:



18. Sanity check from a RADIUS server (Clearpass in this case) using TCP port 636 after importing our AD Root CA to the Trust list of the server:



For any questions or suggestions, please drop an email to the author – Thiyagarajan Palanisamy at [email protected]

Scroll to Top