Active Directory LDAPS Somehow Holding on to the Expired Certificate
Windows Server 2008 Non-R2, 64bit. It's an AD domain controller. It uses a third party certificate (not AD CS and autoenrollment) in its Computer\Personal store to enable LDAP over SSL.
I obtained a new certificate to replace the expiring certificate. I imported it into the Computer\Personal store.
I deleted the old certificate entirely, I did not archive it. Now the new certificate is the only one left in the store.
I rebooted the domain controller just for good measure.
I have verified via Network Monitor packet capture from another machine, that the domain controller is still somehow handing out the old certificate to clients when they attempt to connect to the LDAP-S service using for example ldp.exe and connecting to port 636 with SSL.
How in the world is the domain controller still passing out the expired certificate? I've completely deleted it from the Computer\Personal store! This makes me a sad panda.
Edit: HKLM\SOFTWARE\Mirosoft\SystemCertificates\MY\Certificates
contains only one subkey, which matches the thumbprint of the new, good certificate.
There is only one certificate store that can take precedense over LocalMachine\Personal
, when AD DS tries to load a valid certificate for LDAP over SSL - that store is NTDS\Personal
!
Now, where can you find this store? Easy:
- Win+R -> "mmc"
- Add/remove snap-ins
- Select the "Certificates" snap-in
- In the dialog, select option 2 - "Service account"
- Select the local machine (next)
- Highlight "Active Directory Domain Services" and add the snap-in
The first store is called "NTDS\Personal" and it probably contains your certificate ghost :-)