Install NTDS Service Certificate for LDAPS on Windows Server Core

Import the PFX File

 1$pword = Read-Host -AsSecureString
 2# enter the password to extract the PFX file
 3
 4$splat = @{
 5  Password = $pword
 6  CertStoreLocation = 'Cert:\LocalMachine\My\'
 7  FilePath = '.\your-pfx-file-name.pfx'
 8}
 9
10Import-PfxCertificate -Exportable @splat
11# on success, it outputs the certificate thumbnail

Export the Registry Key

1reg export HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\your-certificate-thumbprint cert_export.reg

Replace your-certificate-thumbprint with your actual certificate thumbprint.

Edit the Registry File

1notepad cert_export.reg

Replace the top level registry key information as follows:

Original: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\your cert thumbprint goes here]

Replacement: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\your cert thumbprint goes here]

Replace the original registry header with the replacement. Don't forget to replace the your cert thumbprint goes here with your actual certificate thumbprint--otherwise, the certificate will not work.

Save the file (Ctrl-S) and continue on to the import.

Import the Registry Key

1reg import cert_export.reg

Confirm it Installed

Even on Windows Server Core, you can use the regedit.exe graphical registry editor. To check the import, execute regedit.exe.

You should see a blob value containing the binary data for the certificate and the keys. If you don't, confirm the data (especially the piece you replaced) in the registry export file.

Delete the LocalMachine Certificate

1certutil -delstore My your-certificate-thumbprint-goes-here

Again, replace the your-certificate-thumbprint-goes-here with the above certificate thumbprint. Then, reboot.

1shutdown /r /t 0