How to import a certificate into the AD DS personal store in Server Core


All replies

  • Hello,

    did you try to choose the mentioned way with a Windows 7 machine and use instead local computer the server core machine?

    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, December 7, 2010 7:10 AM
  • Mark,

    I am pretty sure it would work as long as you use the MMC Certificate snapin.  My dilema is all our AD servers are in Server Core.  I tried following the technet guide: "Domain Controller Certificate Installation" but it also installed the cert in the DC personal store and not in the NTDS\Personal store.

    BTW, I can use MMC certificates to remotely connect to my DC but it would not allow me to import a pfx file. 




    Tuesday, December 7, 2010 10:51 AM
    • Marked as answer by Bruce-Liu Wednesday, December 15, 2010 6:56 AM
    Tuesday, December 7, 2010 1:00 PM
  • Can anyone confirm Marcin solution would work on a Windows Server 2008 R2 Sp1 Core Domain Controller?   I found a link on a KB that would imply otherwise.

    My account is not verified.  Source Bing "How to enable LDAP over SSL with a third-party certification authority"

    Active Directory Domain Services Certificate Storage

    When a certificate is selected from the local machine store (as in CertEnumCertificatesInStore  ) the first valid certificate that can be used for Server Authentication (OID: is returned for use. In cases where customers have multiple certificates valid for Server Authentication in the LDAP server's (e.g. AD DS domain controller AD LDS , orADAM server) local computer certificate store, may see that a different certificate than the one they want is used for LDAPS communications. The best resolution to such an issue is to remove all unnecessary certificates from the local computer certificate store and have only one certificate that is valid for server authentication. 

    However, if there is a legitimate reason that two or more certificates and a customer using at least Windows Server 2008 LDAP servers, the Active Directory Domain Services (NTDS\Personal) certificate store can be used for LDAPS communications. 

     Important There are several significant details to know before you implement the use of the Active Directory Domain Services certificate store.
    1. Automatic certificate enrollment (auto-enrollment) cannot be utilized with certificates in the NTDS\Personal certificate store.
    2. Current command line tools do not allow certificate management of the NTDS\Personal certificate store.
    3. Certificates should be imported into the store, and not moved (using drag and drop) via Certificates console (MMC)
    4. Each LDAP server will require its own certificate in order to use this option, but it is only necessary to use this option on a server that has multiple certificates with the purpose of Server Authentication in the local certificates store. The best solution is to have only one certificate in the computer's personal certificate

    Monday, June 17, 2013 6:58 PM
  • Import PFX / P12 File to the NTDS Service Personal Certificate Store [Server Core Workaround] link:
    • Edited by HiroWat Wednesday, April 6, 2016 9:50 PM
    Wednesday, April 6, 2016 9:49 PM