Solved

LDAP SSL - Bind 3rd Party certificate

Posted on 2014-01-08
11
1,241 Views
Last Modified: 2014-01-09
Hi guys,

Whats the processs to bind a 3rd party certificate purchased from godady with the LDAPS on a active directory

We have a Enterprise CA installed on the DC - i know its not ideal

LDAP SSL is working fine but with a self signed certificate from the CA,

We have a application which connects via LDAP SSL and its dropping the connection since it cannot verify the certificate issuer

We do not have access to the server running the application to install the server Cert as a trusted root

only option i saw was to install a 3rd party cert we got for the exchange server and bind it to the LDAPS

let me know how to proceed, thanks a lot  in advance
0
Comment
Question by:Inbay
  • 4
  • 4
  • 3
11 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39764841
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764895
Cheapest option? if this is the only thing relying on that certificate, issue your own CA (using the MS CA or XCA), generate a signed certificate from that, and give the CA certificate to the host that needs to verify ownership. That way, you can generate a 10 year certificate for free, instead of having to pay for a new certificate every year.
0
 

Author Comment

by:Inbay
ID: 39764904
@DaveHowe

ahh well that's what we are doing right now. but the problem is we do not have access to the Cent OS server running the application to install the CA certificate.

We already have a wild card cert for our domain (for exchange) purchnaced from Go daddy

I want to use that with the LDAPS

Any ideas

@Mahesh

We have already done that the LDAP SSL is working - like i said in the OP, i need to bind the 3rd party cert with the LDAPS
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764949
should be able to do that then - on 2008, you should by preference use the service's personal cert store (you can import it into there using the mmc snapin from the pfx file the wildcard is stored in)

TechNet link
0
 

Author Comment

by:Inbay
ID: 39765031
I did that. I exported the cert from exchange with the privet key to a PFX and imported it to the personal store in

Certificates- (Active directory domain services)-Local computer


but when we initiate the LDAP SSL connection from the application

the LDAPS serves the self signed cert that we generated from the CA, not the wild card

And the connection is dropped due to "certificate statutes - The issuer of this certificate could not be found."

I used this article as reference when setting up LDAP SSL

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39765034
did you remove the old cert from the store, and restart the service? (obvious question, I know, but it needs to be asked) :)
0
 

Author Comment

by:Inbay
ID: 39765054
By service you mean the Certification Authority service right??

I deleted the self signed cert from the personal store and imported the wild card

Restarted the Certification Authority service

Still LDAPS serves the self signed cert that we generated from the CA, not the wild card

We are not allowed to reboot the server during the weekdays. so didn't try that

The wild card cert can be used for - Server Authentication (1.3.6.1.5.5.7.3.1)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39765204
Is certificate authority also installed on DC ?

Is your Exchange certificate wild card domain name is same as AD domain name (Split DNS) ?

LDAPS certificate requires that DC FQDN must be included in some where (either CN or SAN entry), otherwise it will give you error most of.

Mahesh
0
 

Author Comment

by:Inbay
ID: 39765248
Yes the CA is installed on the AD as i mentioned in the OP. i know its not recommended  


unfortunately No

Ad domain name - company.local

Wild card - *.company.co.uk

how can i include the DC FQDN on the wild card certificate?


according to this article

http://community.spiceworks.com/topic/282614-secure-ldap-domain-controller-fqdn

Godaddy does not allow you to add non fully qualified domain names to be used as cert names

is there a work around??
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39765286
ah. ok. The ldap server will be looking for a wildcard that includes its name - and most CAs will not issue certs with dot-local domains, only ones you legally own :(
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39766011
You cannot add new hostname to existing Wildcard certificate and DC cannot work without its FQDN in certificate

You can check some other certificate vendors if they are allowed to provide internal hostnames in their public certificate

If none of them are allowing that, then the only workaround is you could export Root CA cert of internal CA and install it on application server and all its clients so that they can trust it

Mahesh
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question