It is possible to generate a signed certificate for Windows Internet Authentication Service (IAS) and LDAPS access to an Active Directory using OpenSSL.
You need to generate a private/public key pair sign it with your chosen CA, convert it to PKCS12 format and then import into your Windows certificate store.
Sounds simple - it is until you find that Windows requires the PKCS12 file to contain a couple of Microsoft specific Bag Attributes. Namely the Crypto Graphic Service Provider (oid=1.3.6.1.4.1.311.17.1) set to 'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet (oid=1.3.6.1.4.1.311.17.2) set to an empty string.
OpenSSL currently doesn't support LocalKeySet so it's necessary to patch it yourself.
I have a patches for various versions of OpenSSL. The concept for these patches was derived from a patch originally written by Daniel Carroll for version 0.9.7d.
Once you've got your new patched version of OpenSSL you need to generate a CSR in the usual way and get it signed by a CA. There are a few requirements that the certificate must comply with in order to work:
To add the extra bag attributes use the following command:
openssl pkcs12 -name "PEAP Certificate" -export -in peap.pem -out peap.p12
-CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK
Import the PKCS12 file into your machines personal certificate store and it should now work with PEAP or LDAP.
This is an example shell script I use to generate the certificates. In order to ensure that the certificate contains the correct extendedKeyUsage attributes you will need to add the following to your openssl.conf file:
[ sign_ias_csr ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth,serverAuth