Install NTDS Service Certificate for LDAPS on Windows Server Core

Several of these actions require an Administrative Command Prompt. So, go ahead and open one.

Import the PFX File

 1$pword = Read-Host -AsSecureString
 2# enter the password to extract the PFX file
 4$splat = @{
 5  Password = $pword
 6  CertStoreLocation = 'Cert:\LocalMachine\My\'
 7  FilePath = '.\your-pfx-file-name.pfx'
10Import-PfxCertificate -Exportable @splat
11# on success, it outputs the certificate thumbnail
Make note of the certificate thumbprint. You'll need it for several of the following steps.

Export the Registry Key

1reg export HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\your-certificate-thumbprint cert_export.reg

Replace your-certificate-thumbprint with your actual certificate thumbprint.

Edit the Registry File

1notepad cert_export.reg

Replace the top level registry key information as follows:

Original: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\your cert thumbprint goes here]

Replacement: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\your cert thumbprint goes here]

Replace the original registry header with the replacement. Don't forget to replace the your cert thumbprint goes here with your actual certificate thumbprint--otherwise, the certificate will not work.

Save the file (Ctrl-S) and continue on to the import.

Import the Registry Key

1reg import cert_export.reg

Confirm it Installed

Even on Windows Server Core, you can use the regedit.exe graphical registry editor. To check the import, execute regedit.exe.

  • Open the HKEY_LOCAL_MACHINE registry key
  • Expand the following subkeys
      • Microsoft
        • Cryptography
          • Services
            • NTDS
              • SystemCertificates
                • My
                  • Certificates
                    • The Certificate Thumbprint
Use the certificate thumbprint from the previously executed Import-PfxCertificate command.

You should see a blob value containing the binary data for the certificate and the keys. If you don't, confirm the data (especially the piece you replaced) in the registry export file.

Delete the LocalMachine Certificate

1certutil -delstore My your-certificate-thumbprint-goes-here

Again, replace the your-certificate-thumbprint-goes-here with the above certificate thumbprint. Then, reboot.

1shutdown /r /t 0
The cert_export.reg file contains encrypted data that will not work on other computers. If you need to install the same certificate on multiple servers, you must execute this process on each one of them.