For Active Directory domain controllers, the "Kerberos Authentication" certificate template (and newer) include a couple of SAN entry options, like DNS name. This template can be used for auto-enrollment for domain controllers with AD-integrated PKI and domain controllers, which is very nice and really convenient, and it reduces issues with the hands-free nature of this setup.
The problem comes when you are trying to put domain controllers behind a load-balancer, where LDAP over SSL requires the server certificate to have the "common" name present. The typical load-balancer setup would be something like have a VIP and a "common name", like "ldap.mycorp.org".
Well, you cannot make a secure connection (aka, LDAP over SSL) to "ldap.mycorp.org" unless that name is added to the SAN list.
Yes, I know I can created a manual request and supply the SAN entries in the request, but that's now going to require regular attention, making sure certificates don't expire, making sure you run the script or manual request process on any new domain controllers that will be behind a load-balancer.... Too many opportunities for failure!!!
I'm sure I know the answer, but in case there are any super-geek PKI guys here who might have some suggestions beyond the typical "make a manual request and read this link" response. I have ALL the links I need for that. I wrote a script that does ALL of the steps ON the domain controller. The problem is, there is no way to do auto-enrollment, so the missing piece is monitoring for pending certificate expiration, plus then someone has to do a change request and run the manual process.
Ideally, I'd love to know if it's possible to modify the certificate template. I mean, obviously, they have the ability to have a SAN. My whole organization just needs one additional SAN on all DC's, the equivalent of "mycorp.org", except to use the name "ldap.mycorp.org". This should already BE an option!!!!!!
As an alternative, I have a scripted process that works great, but it needs to be run at some point, and NEW DC's need this script run, which is usually the step that gets missed, which causes load-balance issues/failures. I'm not sure what the best way to get this script to run only when it's really needed (at a new DC deployment or a pending certificate expiration).
I know there are some genius PKI guys in this forum, so I'm looking forward to some interesting discussion!!
Thank you for your support!!
-- Rob "I" --