How to do LDAPS queries from Linux to Active Directory pt. 2

Sub-Title:  “An easier way to export a MS AD CA root cert…”

After the popularity of my first post on this subject, I’ve decided to write a couple follow-ups to add some more tips around this subject.  As a result, this is part 2 in a series of 5 posts on this subject.  For background, please also see part 1, part 3, part 4, and part 5.

In “Part 1“, I instruct you to generate and export the Root CA certificate locally from the console of the CA server itself, for use in your SSL-based LDAPS query.  But what if the CA root certificate had been generated some time ago, or you are not able to to conveniently access that server’s console for some reason?

Luckily for you…  Since this is a MS AD CA server, if you have the “World Wide Web Service” component of IIS, *and* the “Web Enrollment Support” component of the CA server service, then there is a built-in web-based utility to help you out.  So given all that, here is a good alternate way to export the Root CA certificate from a Windows Certificate Authority:

  • Go to http://<caServer>/certsrv with a browser.  Of course, replace “<caServer>” with your server name or address.
  • Authenticate if needed, and follow the instructions to download the CA certificate in Base 64, which can install/import it into the browser certificate store.
  • Use the native browser certificate management tools to export it to file.

Caveat:  Remember, your MS server needs the “World Wide Web Service” component of IIS for this to work.  Without it, you will either get no response or a broken service response…

And that’s it!  That sure beats the 8 steps in the other post.  Now you can use the exported CA cert file to continue your LDAPSy fun….


Leave a Comment

Your email address will not be published. Required fields are marked *