Solved

LDAP SSL - Bind 3rd Party certificate

Posted on 2014-01-08
11
1,277 Views
Last Modified: 2014-01-09
Hi guys,

Whats the processs to bind a 3rd party certificate purchased from godady with the LDAPS on a active directory

We have a Enterprise CA installed on the DC - i know its not ideal

LDAP SSL is working fine but with a self signed certificate from the CA,

We have a application which connects via LDAP SSL and its dropping the connection since it cannot verify the certificate issuer

We do not have access to the server running the application to install the server Cert as a trusted root

only option i saw was to install a 3rd party cert we got for the exchange server and bind it to the LDAPS

let me know how to proceed, thanks a lot  in advance
0
Comment
Question by:Inbay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39764841
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764895
Cheapest option? if this is the only thing relying on that certificate, issue your own CA (using the MS CA or XCA), generate a signed certificate from that, and give the CA certificate to the host that needs to verify ownership. That way, you can generate a 10 year certificate for free, instead of having to pay for a new certificate every year.
0
 

Author Comment

by:Inbay
ID: 39764904
@DaveHowe

ahh well that's what we are doing right now. but the problem is we do not have access to the Cent OS server running the application to install the CA certificate.

We already have a wild card cert for our domain (for exchange) purchnaced from Go daddy

I want to use that with the LDAPS

Any ideas

@Mahesh

We have already done that the LDAP SSL is working - like i said in the OP, i need to bind the 3rd party cert with the LDAPS
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764949
should be able to do that then - on 2008, you should by preference use the service's personal cert store (you can import it into there using the mmc snapin from the pfx file the wildcard is stored in)

TechNet link
0
 

Author Comment

by:Inbay
ID: 39765031
I did that. I exported the cert from exchange with the privet key to a PFX and imported it to the personal store in

Certificates- (Active directory domain services)-Local computer


but when we initiate the LDAP SSL connection from the application

the LDAPS serves the self signed cert that we generated from the CA, not the wild card

And the connection is dropped due to "certificate statutes - The issuer of this certificate could not be found."

I used this article as reference when setting up LDAP SSL

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39765034
did you remove the old cert from the store, and restart the service? (obvious question, I know, but it needs to be asked) :)
0
 

Author Comment

by:Inbay
ID: 39765054
By service you mean the Certification Authority service right??

I deleted the self signed cert from the personal store and imported the wild card

Restarted the Certification Authority service

Still LDAPS serves the self signed cert that we generated from the CA, not the wild card

We are not allowed to reboot the server during the weekdays. so didn't try that

The wild card cert can be used for - Server Authentication (1.3.6.1.5.5.7.3.1)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39765204
Is certificate authority also installed on DC ?

Is your Exchange certificate wild card domain name is same as AD domain name (Split DNS) ?

LDAPS certificate requires that DC FQDN must be included in some where (either CN or SAN entry), otherwise it will give you error most of.

Mahesh
0
 

Author Comment

by:Inbay
ID: 39765248
Yes the CA is installed on the AD as i mentioned in the OP. i know its not recommended  


unfortunately No

Ad domain name - company.local

Wild card - *.company.co.uk

how can i include the DC FQDN on the wild card certificate?


according to this article

http://community.spiceworks.com/topic/282614-secure-ldap-domain-controller-fqdn

Godaddy does not allow you to add non fully qualified domain names to be used as cert names

is there a work around??
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39765286
ah. ok. The ldap server will be looking for a wildcard that includes its name - and most CAs will not issue certs with dot-local domains, only ones you legally own :(
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39766011
You cannot add new hostname to existing Wildcard certificate and DC cannot work without its FQDN in certificate

You can check some other certificate vendors if they are allowed to provide internal hostnames in their public certificate

If none of them are allowing that, then the only workaround is you could export Root CA cert of internal CA and install it on application server and all its clients so that they can trust it

Mahesh
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question