Solved

LDAP SSL - Bind 3rd Party certificate

Posted on 2014-01-08
11
1,179 Views
Last Modified: 2014-01-09
Hi guys,

Whats the processs to bind a 3rd party certificate purchased from godady with the LDAPS on a active directory

We have a Enterprise CA installed on the DC - i know its not ideal

LDAP SSL is working fine but with a self signed certificate from the CA,

We have a application which connects via LDAP SSL and its dropping the connection since it cannot verify the certificate issuer

We do not have access to the server running the application to install the server Cert as a trusted root

only option i saw was to install a 3rd party cert we got for the exchange server and bind it to the LDAPS

let me know how to proceed, thanks a lot  in advance
0
Comment
Question by:Inbay
  • 4
  • 4
  • 3
11 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39764841
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764895
Cheapest option? if this is the only thing relying on that certificate, issue your own CA (using the MS CA or XCA), generate a signed certificate from that, and give the CA certificate to the host that needs to verify ownership. That way, you can generate a 10 year certificate for free, instead of having to pay for a new certificate every year.
0
 

Author Comment

by:Inbay
ID: 39764904
@DaveHowe

ahh well that's what we are doing right now. but the problem is we do not have access to the Cent OS server running the application to install the CA certificate.

We already have a wild card cert for our domain (for exchange) purchnaced from Go daddy

I want to use that with the LDAPS

Any ideas

@Mahesh

We have already done that the LDAP SSL is working - like i said in the OP, i need to bind the 3rd party cert with the LDAPS
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764949
should be able to do that then - on 2008, you should by preference use the service's personal cert store (you can import it into there using the mmc snapin from the pfx file the wildcard is stored in)

TechNet link
0
 

Author Comment

by:Inbay
ID: 39765031
I did that. I exported the cert from exchange with the privet key to a PFX and imported it to the personal store in

Certificates- (Active directory domain services)-Local computer


but when we initiate the LDAP SSL connection from the application

the LDAPS serves the self signed cert that we generated from the CA, not the wild card

And the connection is dropped due to "certificate statutes - The issuer of this certificate could not be found."

I used this article as reference when setting up LDAP SSL

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39765034
did you remove the old cert from the store, and restart the service? (obvious question, I know, but it needs to be asked) :)
0
 

Author Comment

by:Inbay
ID: 39765054
By service you mean the Certification Authority service right??

I deleted the self signed cert from the personal store and imported the wild card

Restarted the Certification Authority service

Still LDAPS serves the self signed cert that we generated from the CA, not the wild card

We are not allowed to reboot the server during the weekdays. so didn't try that

The wild card cert can be used for - Server Authentication (1.3.6.1.5.5.7.3.1)
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39765204
Is certificate authority also installed on DC ?

Is your Exchange certificate wild card domain name is same as AD domain name (Split DNS) ?

LDAPS certificate requires that DC FQDN must be included in some where (either CN or SAN entry), otherwise it will give you error most of.

Mahesh
0
 

Author Comment

by:Inbay
ID: 39765248
Yes the CA is installed on the AD as i mentioned in the OP. i know its not recommended  


unfortunately No

Ad domain name - company.local

Wild card - *.company.co.uk

how can i include the DC FQDN on the wild card certificate?


according to this article

http://community.spiceworks.com/topic/282614-secure-ldap-domain-controller-fqdn

Godaddy does not allow you to add non fully qualified domain names to be used as cert names

is there a work around??
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39765286
ah. ok. The ldap server will be looking for a wildcard that includes its name - and most CAs will not issue certs with dot-local domains, only ones you legally own :(
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39766011
You cannot add new hostname to existing Wildcard certificate and DC cannot work without its FQDN in certificate

You can check some other certificate vendors if they are allowed to provide internal hostnames in their public certificate

If none of them are allowing that, then the only workaround is you could export Root CA cert of internal CA and install it on application server and all its clients so that they can trust it

Mahesh
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now