Note: OpenSSL >1.0.0a will be included in future Linux distros (such as Ubuntu Oneiric). If you already have a recent enough OpenSSL, this section can be skipped.

如果0.9.8a、0.9.8e、0.9.8g下载补丁

不打补丁，openssl pkcs12 命令参数中缺少 -CSP 和 -LMK，最后生成cert.p12私钥时报错

There is a patch on the site mentioned above that enables OpenSSL to create certificates so that they are accepted by Windows for the LDAPS service. However, recent versions of OpenSSL now support this natively.

Compiling OpenSSL on Linux is straightforward:

Make sure you have a functioning build environment for this (on Debian based systems you could do anapt-get install build-essential before).

This will install the latest OpenSSL in /usr/local/ssl which is good since you probably do not want to mess with your existing OpenSSL installation.

I recommend using the  from the extremely helpful site I mentioned above. Just make sure it uses your new OpenSSL config and binary:

Open the script in an editor to check if you want to change some of the parameters (such as certificate validity period). Then add this section to /usr/local/ssl/openssl.cnf:

This mainly adds the extended key usage required by Windows. (Credit, again, goes to Stephen Pillinger’s site linked above.)

Finally, OpenSSL needs a CA to sign your new certificates. Quickly create one like this:

What you enter here is mostly arbitrary. I used the FQDN of the windows server as the CN.

You’re now ready to run the script:

Be careful to enter the fully qualified domain name (hostname plus domain) of your Windows server as the Common Name (CN). Confirm signing and storing the certificate.

Also, export the CA certificate for importing it into Windows:

Have the cert.p12 and ca.crt files available somewhere where your Windows server can access them.

Install the certificate for LDAPS authentication:

1. As an Administrator, run mmc.exe.
2. Click File, click Add/Remove Snap-in, select Certificates and click Add.
3. Select Service account and click Next.
4. Select Active Directory Domain Services, click Finish and then OK.
5. Expand NTDS/Personal, right-click on Certificates and choose Import.
6. Choose p12 as a file type, navigate to cert.p12 and import the certificate by following the defaults in the UI.

Install the CA certificate:

1. In mmc, click File, click Add/Remove Snap-in, select Certificates and click Add.
2. Select Computer account and click Next.
3. Select Local computer, click Finish and then OK.
4. Expand Trusted Root Certification Authorities, right-click on Certificates and choose Import.
5. Navigate to ca.crt and import the certificate by following the defaults in the UI.

You should now restart the Active Directory Domain Services. (Not sure this step is really neccessary.)

You can test locally using the ldp.exe tool. Choose Connect, set the FQDN of your LDAPS server, 636 as a port and activate the With SSL checkbox. You should see output similar to this:

…followed by some information about the LDAP service.

It should now be possible for external apps to authenticate users by querying this LDAP server using SSL.

参考链接：