0

They are asking me to install a TLS Certificate in our Active Directory to make our Meraki routers work with AD. We currently have some services that use AD users, including a database. Will there be a problem if I install this certificate? Like authentication error or disabling the current connections using AD users.

Tirux
  • 3
  • 5
  • 1
    "Install a TLS Certificate in our Active Directory" doesn't really mean anything. Where and how will you install this certificate? What will it be used for? – Massimo Feb 01 '21 at 22:07
  • @Massimo we are going to install this certificate in one of our Active Directory's servers. I am planning in doing so with Active Directory Certificate Services role. We are going to generate one ourselves, I know this is not recommended but we are going to test this that way. After doing that, we are going to configure our Meraki routers to point to that server to access our AD with the certificate installed. I am really new at this so I am sorry if I am missing something else that I need to mention. – Tirux Feb 02 '21 at 19:16
  • This makes *even less* sense. ADCS is a Certification Authority, it's used to *create* certificates (and you should really avoid installing the role on a Domain Controller). Also, you still didn't explain what do you mean by "access our AD with the certificate installed". I understand you are new to this, but you really should provide more details to at least allow us to understand what you are talking about and what you are trying to achieve. – Massimo Feb 02 '21 at 19:42
  • @Massimo This is the guide that I need to follow up for Meraki AD intergration: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Active_Directory_Issue_Resolution_Guide#Failure_to_Connect_to_the_AD_Server And this is the guide of the certificate requirements: https://documentation.meraki.com/General_Administration/Other_Topics/Certificate_Requirements_for_TLS Why should I avoid installing the role ADCS in a Domain Controller btw? – Tirux Feb 02 '21 at 21:07
  • Ok, now it's definitely more clear. You need certificates on Domain Controllers to use LDAPS (LDAP over SSL). See my answer. – Massimo Feb 02 '21 at 21:43

2 Answers2

0

I don't see how this would cause any problems.

You can deploy the certificate using Group Policy.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
0

From the links you provided, it looks like you need to enable LDAPS (LDAP over SSL) on your Domain Controllers. This requires a valid certificate on each DC which can be matched to the server's FQDN. The certificate must be issued by a trusted Certification Authority.

A common way to achieve this in an Active Directory environment is to create an internal Certification Authority using Active Directory Certificate Services (AD CS); if you create an AD-integrated CA (also known as "Enterprise"), Domain Controllers will automatically request and enroll appropriate certificates and enable LDAPS using them; this should cause no authentication issues to whoever is using plain LDAP, because plain LDAP access will remain available (unless you explicitly disable it via GPO).

Since this will be a private Certification Authority, nobody outside your AD domain will automatically trust its certificates; thus you will need to import the CA's root certificate in your network devices.

Please don't install a Certification Authority on a Domain Controller; this will become a heavy problem when you will need to demote, rename or replace that DC.

You can also use a certificate issued by a public Certification Authority, which will be automatically trusted by all systems; but you will have to buy it and install it manually on the DC(s), and renew it periodically; also, this can only be done if your AD domain name is a public DNS domain you own; nobody will sell you a certificate for "server.domain.local".

Massimo
  • 70,200
  • 57
  • 200
  • 323