How to create autorenewing Cert in NTDS store (Windows)

My domain is:ad.ocmboces.org

My web server is (include version): NA

The operating system my web server runs on is (include version): Windows Server 2022 Std

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): WACS 2.2.9.1701

So I am trying to use LetsEncrypt to manage a certificate used for LDAPS. Our use case needs the certiicate to be in the Active Directory Domain Services service store. I'm using WinAcme for now but I'm not sure if there's a better way as I have so far been unable to figure out a way to place that certificate in the NTDS store. Can anyone guide me?

Relevant output (I think):

How would you like to store the certificate?:

1: [WebHosting] - Dedicated store for IIS
2: [My] - General computer store (for Exchange/RDS)
3: [Default] - Use global default, currently WebHosting

Choose store to use, or type the name of another unlisted store: NTDS\SystemCertificates\MY\Certificates\

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps

Would you like to store it in another way too?:

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps

Which installation step should run first?: 3

Existing renewal: [Manual] ad.ocmboces.org - 3 renewals, due 2026/7/21

Overwrite settings? (y*/n) -

Overwriting previously created renewal

Plugin Manual generated source ad.ocmboces.org with 1 identifiers
Plugin Single created 1 order
Renewing [Manual] ad.ocmboces.org
Using cache for [Manual] ad.ocmboces.org. To get a new certificate within 1 days, run with --nocache.
Store with CertificateStore...
Installing certificate in the certificate store
Unable to save using CryptoAPI, retrying with CNG...
Error saving main certificate
(CryptographicException) Unable to store certificate: The parameter is incorrect.

Create certificate failed, retry? (y/n*)

The NTDS store is not an "official" store in .Net land, so it's not addressable in PowerShell etc. However, stores are actually a combination of registry entries and keys (keys are stored in the filesystem).

Googling suggests that the workaround is to import the cert to any normal store, then copy the same thumbprint to the NTDS registry key:

HKLM\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\<thumbprint>

Then remove the entry for the original cert import (so it's not in two stores at the same time)

Based on:

https://gist.github.com/mcc85s/ed0844542f2aae23562b85d2ad74cc70

https://www.reddit.com/r/sysadmin/comments/7hygzp/server_core_import_cert_to_ntds_store/

However the cleaner looking suggestion I found was to use certutil to import directly to the target store:

For that I would suggest not storing the original cert in the computer certificate store (My/Personal etc) so you can skip the step of cleaning it up from the original store.

I don't know how you arrange that scripting with win-acme, but in Certify The Web (which I develop) it would be a Deployment Task (Run a PowerShell script etc). You can also use Posh-ACME etc.

[Here's also a similar powershell based suggestion to the above import/move/delete dance: Configure secure LDAP (LDAPS) in Active Directory with Let's Encrypt | Devolutions]

This is very much out of the area I'm familiar with, but simple-acme (a fork of win-acme maintained by the original developer) has sample scripts that can be run to handle installation, one of which is called ImportNTDS.

Thanks a bunch everyone!

Good catch!