LAB 002 — LDAPS & PKI Certificate Lab

// OBJECTIVE

WHY LDAPS MATTERS

Standard LDAP transmits directory queries in cleartext on port 389 — including credential bind operations. In any compliance-regulated environment (HIPAA, NIST, DoD), LDAPS on port 636 is a baseline requirement. This lab walks through deploying PKI from scratch and enforcing encrypted directory communication.

// WALKTHROUGH

STEP-BY-STEP EXECUTION

STEP 01

INSTALL ACTIVE DIRECTORY CERTIFICATE SERVICES

Installed the AD CS role on DC01. Chose Enterprise Root CA (not Standalone) so certificates are automatically trusted by all domain members via Group Policy.

powershell — DC01

PS C:\> Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

PS C:\> Install-AdcsCertificationAuthority `
-CAType EnterpriseRootCa `
-CaCommonName "CORP-ROOT-CA" `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-ValidityPeriod Years `
-ValidityPeriodUnits 5 `
-Force

CertificationAuthority installation succeeded.

STEP 02

ISSUE A DOMAIN CONTROLLER CERTIFICATE

Requested a certificate for the DC using the built-in "Domain Controller" template. This is the certificate LDAPS binds to — without it, the DC won't serve LDAP over SSL even if the CA is installed.

cmd — DC01 (certlm.msc)

# Via MMC: certlm.msc → Personal → Certificates → Request New Certificate
# Selected template: Domain Controller
# Subject: CN=DC01.corp.local
# SAN: DNS=DC01.corp.local, DNS=corp.local

# Verify certificate issued
C:\> certutil -store My
================ Certificate 0 ================
Subject: CN=DC01.corp.local
Issuer: CN=CORP-ROOT-CA, DC=corp, DC=local
NotAfter: [1 year from issue date]
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

STEP 03

VERIFY LDAPS IS ACTIVE ON PORT 636

After the DC certificate is issued and the LDAP service restarts, port 636 should be open. Verified using both netstat and ldp.exe with SSL enabled.

cmd — DC01

# Restart LDAP service to pick up new certificate
C:\> net stop "Active Directory Domain Services" && net start "Active Directory Domain Services"

# Confirm port 636 is listening
C:\> netstat -an | findstr :636
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
TCP [::]:636 [::]:0 LISTENING

# Test with ldp.exe: Connection → Connect → DC01, Port 636, SSL checked
res = ldap_sslinit("DC01", 636, 1);
Established connection to DC01.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:

STEP 04

VERIFY TLS ENCRYPTION ON LDAP QUERIES

Used certutil's LDAP diagnostic mode to confirm that queries over port 636 are TLS-encrypted and the certificate chain resolves correctly to the Enterprise Root CA.

cmd — DC01

C:\> certutil -verify -urlfetch C:\cert.cer
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

# Confirm CA cert distributed to domain clients via GPO autoenrollment
PS C:\> Get-ChildItem Cert:\LocalMachine\Root | Where {$_.Subject -like "*CORP-ROOT-CA*"}
Thumbprint Subject
---------- -------
A1B2C3D4E5F6... CN=CORP-ROOT-CA, DC=corp, DC=local

// OUTCOME

RESULTS

Enterprise Root CA deployed on DC01 — CORP-ROOT-CA with 5-year validity, SHA-256, 2048-bit key
Domain Controller certificate issued via "Domain Controller" template, covering DC01.corp.local SAN
LDAPS active and verified on port 636 — confirmed via netstat and ldp.exe SSL bind
TLS encryption on all LDAP queries verified — cleartext port 389 queries can now be blocked
Root CA certificate automatically distributed to all domain members via GPO autoenrollment
Certificate chain validated end-to-end using certutil -verify

// RELATED LABS

CONNECTED WORK

← LAB 001: AD Domain Lab LAB 003 → PowerShell Automation

LDAPS & PKICertificate Lab

LDAPS & PKI
Certificate Lab