Manage Active Directory certificates

This documentation [1] shows up how to create and update certificates in Active Directory.


Certificate is mandatory to use LDAPS with Active Directory

Create a certificate

  1. Using the Active Directory Control Panel – Add/Remove Programs administration tool:

    • Select Add/Remove Windows Components to start the Windows Components Wizard.
    • Place check marks next to Certificate Services and Internet Information Services (IIS).
    • Click Next>.
  2. Select Enterprise root CA Certificate Authority Type and click Next>.

  3. Enter a CA name (server name) and click Next>. On Windows Server 2003, this is the Common name for this CA.

  4. Leave the Data Storage Locations as default and click Next>.

  5. The software installation process is complete. Click Finish.

Update a certificate

When AD certificate will expire, you probably want to udpate it with the same key.

To do this:

  1. Click Startrunmmc
  2. In MMC click ConsoleAdd snap-inAddCertificatesAddComputer AccountNextFinish
  3. Expand Certificates (Local Computer)
  4. Go in branch Personal
  5. Select the current certificate
  6. Right click on it → All tasksGenerate with the same key


You must restart Active Directory server to use the new certificate for LDAP service (yes it’s a shame)


[1]Documentation comes from