Solved

LDAP SSL - Bind 3rd Party certificate

Posted on 2014-01-08
11
1,255 Views
Last Modified: 2014-01-09
Hi guys,

Whats the processs to bind a 3rd party certificate purchased from godady with the LDAPS on a active directory

We have a Enterprise CA installed on the DC - i know its not ideal

LDAP SSL is working fine but with a self signed certificate from the CA,

We have a application which connects via LDAP SSL and its dropping the connection since it cannot verify the certificate issuer

We do not have access to the server running the application to install the server Cert as a trusted root

only option i saw was to install a 3rd party cert we got for the exchange server and bind it to the LDAPS

let me know how to proceed, thanks a lot  in advance
0
Comment
Question by:Inbay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39764841
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764895
Cheapest option? if this is the only thing relying on that certificate, issue your own CA (using the MS CA or XCA), generate a signed certificate from that, and give the CA certificate to the host that needs to verify ownership. That way, you can generate a 10 year certificate for free, instead of having to pay for a new certificate every year.
0
 

Author Comment

by:Inbay
ID: 39764904
@DaveHowe

ahh well that's what we are doing right now. but the problem is we do not have access to the Cent OS server running the application to install the CA certificate.

We already have a wild card cert for our domain (for exchange) purchnaced from Go daddy

I want to use that with the LDAPS

Any ideas

@Mahesh

We have already done that the LDAP SSL is working - like i said in the OP, i need to bind the 3rd party cert with the LDAPS
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764949
should be able to do that then - on 2008, you should by preference use the service's personal cert store (you can import it into there using the mmc snapin from the pfx file the wildcard is stored in)

TechNet link
0
 

Author Comment

by:Inbay
ID: 39765031
I did that. I exported the cert from exchange with the privet key to a PFX and imported it to the personal store in

Certificates- (Active directory domain services)-Local computer


but when we initiate the LDAP SSL connection from the application

the LDAPS serves the self signed cert that we generated from the CA, not the wild card

And the connection is dropped due to "certificate statutes - The issuer of this certificate could not be found."

I used this article as reference when setting up LDAP SSL

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39765034
did you remove the old cert from the store, and restart the service? (obvious question, I know, but it needs to be asked) :)
0
 

Author Comment

by:Inbay
ID: 39765054
By service you mean the Certification Authority service right??

I deleted the self signed cert from the personal store and imported the wild card

Restarted the Certification Authority service

Still LDAPS serves the self signed cert that we generated from the CA, not the wild card

We are not allowed to reboot the server during the weekdays. so didn't try that

The wild card cert can be used for - Server Authentication (1.3.6.1.5.5.7.3.1)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39765204
Is certificate authority also installed on DC ?

Is your Exchange certificate wild card domain name is same as AD domain name (Split DNS) ?

LDAPS certificate requires that DC FQDN must be included in some where (either CN or SAN entry), otherwise it will give you error most of.

Mahesh
0
 

Author Comment

by:Inbay
ID: 39765248
Yes the CA is installed on the AD as i mentioned in the OP. i know its not recommended  


unfortunately No

Ad domain name - company.local

Wild card - *.company.co.uk

how can i include the DC FQDN on the wild card certificate?


according to this article

http://community.spiceworks.com/topic/282614-secure-ldap-domain-controller-fqdn

Godaddy does not allow you to add non fully qualified domain names to be used as cert names

is there a work around??
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39765286
ah. ok. The ldap server will be looking for a wildcard that includes its name - and most CAs will not issue certs with dot-local domains, only ones you legally own :(
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39766011
You cannot add new hostname to existing Wildcard certificate and DC cannot work without its FQDN in certificate

You can check some other certificate vendors if they are allowed to provide internal hostnames in their public certificate

If none of them are allowing that, then the only workaround is you could export Root CA cert of internal CA and install it on application server and all its clients so that they can trust it

Mahesh
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question