[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

LDAP SSL - Bind 3rd Party certificate

Posted on 2014-01-08
11
Medium Priority
?
1,395 Views
Last Modified: 2014-01-09
Hi guys,

Whats the processs to bind a 3rd party certificate purchased from godady with the LDAPS on a active directory

We have a Enterprise CA installed on the DC - i know its not ideal

LDAP SSL is working fine but with a self signed certificate from the CA,

We have a application which connects via LDAP SSL and its dropping the connection since it cannot verify the certificate issuer

We do not have access to the server running the application to install the server Cert as a trusted root

only option i saw was to install a 3rd party cert we got for the exchange server and bind it to the LDAPS

let me know how to proceed, thanks a lot  in advance
0
Comment
Question by:Inbay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39764841
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764895
Cheapest option? if this is the only thing relying on that certificate, issue your own CA (using the MS CA or XCA), generate a signed certificate from that, and give the CA certificate to the host that needs to verify ownership. That way, you can generate a 10 year certificate for free, instead of having to pay for a new certificate every year.
0
 

Author Comment

by:Inbay
ID: 39764904
@DaveHowe

ahh well that's what we are doing right now. but the problem is we do not have access to the Cent OS server running the application to install the CA certificate.

We already have a wild card cert for our domain (for exchange) purchnaced from Go daddy

I want to use that with the LDAPS

Any ideas

@Mahesh

We have already done that the LDAP SSL is working - like i said in the OP, i need to bind the 3rd party cert with the LDAPS
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764949
should be able to do that then - on 2008, you should by preference use the service's personal cert store (you can import it into there using the mmc snapin from the pfx file the wildcard is stored in)

TechNet link
0
 

Author Comment

by:Inbay
ID: 39765031
I did that. I exported the cert from exchange with the privet key to a PFX and imported it to the personal store in

Certificates- (Active directory domain services)-Local computer


but when we initiate the LDAP SSL connection from the application

the LDAPS serves the self signed cert that we generated from the CA, not the wild card

And the connection is dropped due to "certificate statutes - The issuer of this certificate could not be found."

I used this article as reference when setting up LDAP SSL

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39765034
did you remove the old cert from the store, and restart the service? (obvious question, I know, but it needs to be asked) :)
0
 

Author Comment

by:Inbay
ID: 39765054
By service you mean the Certification Authority service right??

I deleted the self signed cert from the personal store and imported the wild card

Restarted the Certification Authority service

Still LDAPS serves the self signed cert that we generated from the CA, not the wild card

We are not allowed to reboot the server during the weekdays. so didn't try that

The wild card cert can be used for - Server Authentication (1.3.6.1.5.5.7.3.1)
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39765204
Is certificate authority also installed on DC ?

Is your Exchange certificate wild card domain name is same as AD domain name (Split DNS) ?

LDAPS certificate requires that DC FQDN must be included in some where (either CN or SAN entry), otherwise it will give you error most of.

Mahesh
0
 

Author Comment

by:Inbay
ID: 39765248
Yes the CA is installed on the AD as i mentioned in the OP. i know its not recommended  


unfortunately No

Ad domain name - company.local

Wild card - *.company.co.uk

how can i include the DC FQDN on the wild card certificate?


according to this article

http://community.spiceworks.com/topic/282614-secure-ldap-domain-controller-fqdn

Godaddy does not allow you to add non fully qualified domain names to be used as cert names

is there a work around??
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1000 total points
ID: 39765286
ah. ok. The ldap server will be looking for a wildcard that includes its name - and most CAs will not issue certs with dot-local domains, only ones you legally own :(
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 39766011
You cannot add new hostname to existing Wildcard certificate and DC cannot work without its FQDN in certificate

You can check some other certificate vendors if they are allowed to provide internal hostnames in their public certificate

If none of them are allowing that, then the only workaround is you could export Root CA cert of internal CA and install it on application server and all its clients so that they can trust it

Mahesh
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question