Solved

How to enable LDAP over SSL with a third-party certification authority?

Posted on 2016-07-27
9
118 Views
Last Modified: 2016-10-07
I am following these guide to enable the LDAPs on one of my Windows Server 2012 R2:

https://support.microsoft.com/en-us/kb/321051
http://shabaztech.com/enabling-ldaps-certificate-3rd-party-ca/

I already get the third party certificate with the extension .cer. Whenever, I try to run the command called certreq -accpet certfile.cer, it throws the following error:

Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)

I tried to change the filename extension to .p7b and crt but still it gives the same error.

Can anyone please help me in this regard?
0
Comment
Question by:TAMUQITS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 4

Expert Comment

by:Elizabeth Anderson
ID: 41730741
The error occurs because -
When generating a web certificate request from the TPAM appliance (see "Generate web certificate request" of TPAM_SysAdmin_Guide.pdf), the certificate generated by the Certificate Authority (.CER file) can only be imported back to the TPAM device where the .CSR file was generated.

What to do -
Re-issue the web certificate using the correct (or a new) certificate request generated from the appliance.

For more information - https://support.software.dell.com/kb/145596
0
 

Author Comment

by:TAMUQITS
ID: 41730776
Thanks Elizabeth,

It's not for the appliance but Windows Server 2012 R2 Domain Controller and I have generated the CSR on the same machine and saved the certificate in the same folder where request file exists.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41736377
Try do it from the certificate GUI.

Start > Run > certlm.msc > Right click Personal > All Tasks > Import > Find the cert you want (should be a .cer) > import the certificate.

Does anything different occur? Make sure you access the machine cert store.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:TAMUQITS
ID: 41736401
Hi Learnctx,

Yes, I am able to import that third party certificate from Certificate GUI while accessing the machine store.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41736458
OK, interesting you should be done then. AD should be serving up LDAPS on TCP 636.
0
 

Author Comment

by:TAMUQITS
ID: 41737083
Hi,

Is there any online tool to test my LDAPS from outside of my organization?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41737385
From outside? Are you exposing your DC's to the Internet? :)

The best tool to test LDAP and LDAPS is ldp.exe. Open it, the connect to LDAP and set the port as 636 and enable SSL. If you can successfully bind then LDAPS is working. If you are testing from an external location then you will also need to ensure the external party has your certificate chain trusted.
0
 

Accepted Solution

by:
TAMUQITS earned 0 total points
ID: 41737393
So, folks, the issue has been resolved. In fact, there were a couple of things. 636 port was needed to be opened at our centralised firewall, I know, it should be the first thing I should have checked but sometimes you do stupid stuff. Second, I added/installed the certificates using certutil instead of certreq.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question