Configure client authentication for Active Directory

• Log in to the Active Directory with the user "keyhub" (see Prepare AD).

• Open Microsoft Management Console (mmc.exe).

• Open File → Add /Remove Snap-in

• Select Certificates.

• Click Add.

• Click OK.

• Select My user account.

• Click Finish.

• Click OK.

• Right click Personal (from Console root → Certificates - Current User).

• Select All tasks → Request New Certificate.

• Click Next.

• Select User.

• Expand details.

• Click Properties.

• Select Subject tab.

• Fill in cn=keyhub in the Full DN Value box.

• Click Add.

• Click OK.

• Click Enroll.

• Done. Your client certificate is created.

• Right click the certificate you want to export.

• Select All tasks.

• Select Export.

• Click Next.

• Select Yes…​

• Click Next.

• Select Personal Information Exchange.

• Click Next.

• Select Password.

• Fill in your password.

• Click Next.

• Specify the name and location for your exported certificate.

• Click Next.

• Click Finish.

• Click OK

• Done. Your certificate and key are packed in a .pfx file.

• Install chocolaty following the instructions on their website.

• Change into the OpenSSL bin directory.

cd C:\Program Files\OpenSSL\bin

• Open Active Directory Users and Computers.

• Find the user keyhub.

• Right click and select Name Mappings.

• Select Add.

• Browse to the and open the .pem certificate file.

• Click OK.

• Click OK.

• Done. The user keyhub can now use a client certificate to bind.

• From the menu select MANAGE ACCESS.

• Find and click the Active Directory you want to configure.

• From the TLS dropdown menu select Client authentication.

• Upload your public certificate, private key and fill in your private key password.

• Click TEST.

• Click SAVE.

• Done. You are now using client authentication instead of a bind with username and password.