LDAPS with Microsoft AD CS: Should applications trust Root CA or Intermediate CA?

Max Coder

unread,

Dec 11, 2025, 3:06:52 PM (11 days ago) Dec 11

to ntsysadmin

Hi,

Let’s assume I need to configure LDAPS for an application, and a certificate is required for this purpose.
We are using a Microsoft two-tier Certificate Authority infrastructure.
On the Domain Controllers, the Kerberos Authentication certificate template is used for LDAPS.

My question is: Which certificate should be used on the application side in this scenario?

Additionally, for applications or appliances, should the Root CA certificate or the Intermediate CA certificate be used?

Michael B. Smith

unread,

Dec 11, 2025, 3:11:57 PM (11 days ago) Dec 11

to ntsys...@googlegroups.com

>> Additionally, for applications or appliances, should the Root CA certificate or the Intermediate CA certificate be used?

In general, the root CA only issues certs for the intermediate CA. Nothing else. (Not strictly true – but it shouldn’t be issuing application level or end-user visible certs.)

To answer the question in the subject line, the answer is “both”.

>> My question is: Which certificate should be used on the application side in this scenario?

I’m not sure I understand this question. The application will connect to the DC and validate that certificate. It doesn’t need its own certificate.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/c0b27d5a-a636-47a1-96ad-154735f1f3afn%40googlegroups.com.

James Iversen

unread,

Dec 11, 2025, 4:59:32 PM (10 days ago) Dec 11

to ntsys...@googlegroups.com, ntsys...@googlegroups.com

if your app uses userid \ pwd combination to establish connection, a user cert.pfx could do the trick. containing the leaf\issuing\root to prove to AD. Strong mapping is the key. Log in to a windows device, create a profile, edit a template to allow enrollment for the account, enroll, export with key secured by pwd, ship it off to the app server and import it. PKI is fun 🤩

Sent from my iPhone

On Dec 11, 2025, at 3:11 PM, Michael B. Smith <mic...@smithcons.com> wrote:

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/a193a936aaa34333bdb1214eb8b8adf9%40smithcons.com.

Michael B. Smith

unread,

Dec 11, 2025, 5:05:48 PM (10 days ago) Dec 11

to ntsys...@googlegroups.com

Excellent point! Mutual authentication.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/98741E00-8928-41A8-88F7-5583045FF6C4%40gmail.com.

Reply all

Reply to author

Forward