Technical Tip: How to create a certificate for the Domain Controller to use on an LDAPS service

• Confirm the FQDN of Domain Controller.
• In FortiAuthenticator, go to Certificate Management -> End Entities -> Users -> + Create New.

Fill in the following mandatory fields and save the settings.

• Certificate ID: Descriptive name.
• Subject (CN): FQDN of DC.
• Subject Alternative Name: FQDN of DC.

Go to Advanced Options -> Extended Key Usages and select Add Server Authentication.

• On FortiAuthenticator, download the created certificate and key into Certificate Management -> End Entities -> Users. Select the certificate and choose 'Export Key and Cert'.

• On FortiAuthenticator, download the CA certificate used to sign this certificate under Certificate Management -> Certificate Authorities -> Local CAs.

• Go to Domain controller and import the downloaded certificates from FortiAuthenticator. FortiAuthenticator must be imported into the 'Computer Account' certificates.

The Cert and Key should be stored under the 'Personal' Certificate directory and the CA should be stored in the 'Trusted Root Certification Authorities'.

• Finally, enable LDAPS on the FortiAuthenticator side. Go to Authentication -> Remote Auth Server.

The LDAPS connection should be successfully established. 

Related documents:

• Configure LDAP on the FortiAuthenticator
• LDAPS with FortiAuthenticator