Issue domain controller certificates

To enable smart card login and other active directory services, each domain controller must have a certificate. If you do not already have domain controller certificates, Nexus will issue such certificates for you.

This article describes how you can send certificate requests for all your domain controllers to Nexus and import the issued certificates in the truststores of each domain controller. This process is secure since the key never leaves the domain controller.

Prerequisites

If you do not have an existing certificate authority (CA), such as ADCS, you need to install the Microsoft Active Directory Certificate Services Tools (ADCS Tools) to perform this operation.

Step-by-step instruction

Request domain controller certificates

To request domain controller certificates from Nexus:

For each domain controller:
1. Log in to the domain controller.
2. Start the Microsoft Management Console (MMC).
3. Add the Certificates Snap-IN, select Computer Account.
4. Right-click on the folder Personal – Certificates and select -> Create Custom Request. Click Next.
5. Select the template “Kerberos Authentication” and PKCS#10 as format. Click Next.
6. Save the file, name the file with the domain controllers full FQDN, example dc1.example.com
Create a zip file including all the request files and send it to your Nexus contact.

When Nexus receives these request files, we will manually issue the certificates and send them back.

Import certificates

When Nexus receives these request files, we will manually issue the certificates and send them back.

To import the received certificates in the truststore.

After you received them you must import them into each domain controller’s personal truststore.
To import them, start MMC console and load Certificates -> Computer Account snap-pin and right click and select import.