Note: The GPO setting isn’t applied until the registry setting - HKLM\SYSTEM\Current Control Set\services\NTDS\Parameters and DWORD ‘ldapserverintegrity’ has changed from the default 1 to the new setting of 2.If you manually change in the registry without updating the Default Domain Controllers GPO, it will go back to 1 after every gpupdate.) to obtain the self-signed root CA certificate, and copy all the output between and including the BEGIN CERTIFICATE and END CERTIFICATE lines into a simple text document. This article helps you set up your own tiny CA using the Open SSL software.
Common web browsers already "ship" with a number of CAs.
This will need to be provided to the clients wanting to establish LDAP over SSL connections, so they can install the root CA certificate first.
Otherwise having a valid certificate for your server often just means that you spend money to big companies called . for your private web server running HTTPS at home) and do not really care whether the CA is contained in other people’s browsers. The only difference is that your clients will get a warning when contacting your server that the CA is not (yet) trusted.
This can be either safely ignored or you can make them install your CA’s certificate.
Microsoft only seems to trust CAs if they pay an unrealistic amount of money – who’s surprised?It is worth spreading the word since this CA is about trust instead of money.