Assuming Active Directory is already setup. See instructions for that here.
Enable Active Directory Certificate Services
- Open Server Manager
- Add Role
- Choose Active Directory Certificate Services.
- Open MMC
- File> Add/Remove Snap-In
- Choose ‘Certificates’ > ‘Local Computer’
- Once added, right-click on Certificates> All Tasks > Request New Certificate > Active Directory Enrollment Policy > Select Domain Controller, Domain Controller Authentication checkboxes> Enroll
Note that, in the same MMC, following Snap-Ins were also added, not sure if they are needed though:
- Certification Authority (Local)
- Certification Service (Active Dir Domain Services)
- Certification Service (Active Dir Certificate Services)
- Start> Run> ldp.exe
- Connect with SSL and port 636
Export Certificate (for use with Client)
- On a Domain Controller log-in as an administrator and open Internet Explorer. Go to Tools->Internet Options->Content and click on Certificate
- Switch to Trusted Root Certificate Authorities Tab and Select the certificate issued by your Active Directory integrated Certificate Server. Click on Export
- Choose Base-64 encoded X.509(.CER)
- Specify file name for the exported certificate
- Finish the export and copy the exported .cer file
Using the exported certificate with Java client application:
- Copy .cer file exported above to the java client machine
- At the client machine execute the following command:
keytool -importcert -file cert.cer -keystore keystore.jks -alias “Alias”
Give a password when prompted.
This will create a .jks file that you can use with your java client program for ssl communication with Active Directory.