Get Windows AD DC with SHA1 signed cert to accept LDAP (StartTLS) connections from OpenSSL 3 clients

Trying to get Windows Active Directory DC (with SHA1 signed certificate) to accept LDAP(StartTLS) connections from WordPress Server using Next Active Directory Integration plugin. WordPress is running on PHP 8.2.4 and OpenSSL 3.0.8 which by default no longer allows use of certificates signed using SHA1. Want to know if Windows AD LDAP can be configured with multiple/fallback certificates to make this work without changing LDAP client configuration.

While I don't believe you can force Windows to fallback to a lower standard certificate - that sounds like the seed of yet another vulnerability - you could instead have multiple DCs with different certs on each to allow for your scenario.

Presumably, you're using a SHA1 certificate because you have some legacy application which can't work with modern hash algorithms?

Assuming that the application which only accepts SHA1 hash algorithms is a minority:

1. create a SHA1 self-signed certificate for use between this old application and one or two DCs; then
2. upgrade your PKI to SHA256 which can be used to for the rest of your estate, including your WordPress site.

Alternatively, if the SHA1 only applications are a majority:

1. create a SHA256 self-signed certificate for a new DC (or two) which is accessed by the WordPress server; then
2. Find a mirror and have a stern word with yourself about the risks of using SHA1 ;-)

Active Directory cannot be configured to use multiple certificates. You need to replace the SHA1-signed certificate with a SHA256-signed certificate. Or configure WordPress/OpenSSL 3.0.1 or higher components to work with SHA1-signed certificates.

SHA1 was deprecated over 10 years ago. It's easier to be proactive about these things than to be compelled from one upgrade to another.