Using a 3rd party CA (Entrust), I have successfully requested and installed Domain Controller certificates via the Certificates MMC snap-in.
I did this from one Domain Controller, and then just used the (right click) "Connect to another computer" option to do the rest. Everything looks absolutely fine, the certificates look ok.... certificate chain is complete, and valid (all CA certs are installed) and the certificates say "You have the private key that corresponds to this certificate".
If I do a LDAPS bind using LDP.exe, it works fine on the first DC.
Do this on the next and I get the error:
Cannot open connection
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DCHostname.
After some checking I looked in the folder C:\ProgramData\Microsoft\Crypto\Keys
This contains a lot of files on the DC I was logged onto when installing the certs, and no files on any of the other DCs. I am guessing this is the private key file and it has stored all of them on the local machine I was running MMC from rather than on the machines I connected to from MMC.
Is there any way to get these keys onto the correct DCs now - or will I have to re-request all of the others. The private key was not exportable.
I figured copying and pasting them was probably not going to work with a private key, but I tried it anyway just to be sure!
It is pretty annoying as no clue was given during the process of requesting and installing the certificates, and there is no error when you look at the certificate - they all think they have the private key associated to them, even though it rather looks like they don't!
It's a bit painful requesting certificates here, so any help in avoiding this would be appreciated! Thank you