Generating the LDAPS TLS certificates
You can use Entrust PKIaaS to generate LDAPS TLS certificates for each domain. Follow the steps in Issuing a certificate in a PKCS #12 and select the following values.
| Setting | Value |
|---|---|
| Certificate Authority | Select a certificate authority like the one described in Configuring an issuing CA for WSTEP. |
| Certificate Profile | Select the multiuse-p12-key-encipherment-client-server certificate profile of the multiuse group. |
| Subject DN | Enter a Common Name (CN) matching the FQDN of the Domain Controller — for example: dc.example.com. |
| Certificate Expiry | Enter a period not exceeding 397 days. |
| Subject Alternate Names | All Subject Alternative Names must include a DNS matching the FQDN of the Domain Controller. |
⚠ If you generate the LDAPS TLS certificates with a non-Entrust PKIaaS authority, ensure they are SHA-2, as SHA-1 certificates are not allowed due to their vulnerabilities.