Mike Satterfield
asked on
External LDAP Certificate Issue
I have a DC with a ldaps (636) and an external nat address through the firewall.
it has a self signed certificate from our in house certificate authority. and my hosted software is able to connect to it and allow my users to authenticate via LDAP just fine.
Except one.
the newest is requiring that we have a 3rd party certificate installed. So i purchased one, and added it to the personal store in the Certificate management area for the service account. however didn't buy the extended validation option. so i think i have to buy another one.
if that is the case.. i would like to do it a bit differently.
if my server is server.mydomain.org
can i (after adding an external DNS alias for ldap.mydomain.org) purchase a cert for ldap.mydomain.org, and if so my reading leads me to believe that if i purchase the EV version of the cert, and put it in the personal store for the serivice account, is that all i need to do to get LDAPS using it ?
Thanks,
it has a self signed certificate from our in house certificate authority. and my hosted software is able to connect to it and allow my users to authenticate via LDAP just fine.
Except one.
the newest is requiring that we have a 3rd party certificate installed. So i purchased one, and added it to the personal store in the Certificate management area for the service account. however didn't buy the extended validation option. so i think i have to buy another one.
if that is the case.. i would like to do it a bit differently.
if my server is server.mydomain.org
can i (after adding an external DNS alias for ldap.mydomain.org) purchase a cert for ldap.mydomain.org, and if so my reading leads me to believe that if i purchase the EV version of the cert, and put it in the personal store for the serivice account, is that all i need to do to get LDAPS using it ?
Thanks,
the newest is requiring that we have a 3rd party certificate installed.
Why?
As long as the client can validate the certificate using a trusted intermediate or root CA it shouldn't matter where the cert comes from.
ASKER
"Why?
As long as the client can validate the certificate using a trusted intermediate or root CA it shouldn't matter where the cert comes from."
I have no idea.. it's a web hosting company called finalsite..
So like i said i did get a regular 2048 iis cert from godaddy for servername.mydomain.com ... and installed it then put it in the personal store of the service account. .. I seem to have completely broken ssl over ldap on that box now.
As long as the client can validate the certificate using a trusted intermediate or root CA it shouldn't matter where the cert comes from."
I have no idea.. it's a web hosting company called finalsite..
So like i said i did get a regular 2048 iis cert from godaddy for servername.mydomain.com ... and installed it then put it in the personal store of the service account. .. I seem to have completely broken ssl over ldap on that box now.
is your AD domain name published on internet as well?
if your certificate FQDN is different from DC real FQDN, the scenario will not work
if your certificate FQDN is different from DC real FQDN, the scenario will not work
ASKER
yes it is the same same servername and domain both internal and external.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is very frustrating.
i can connect no problem, if i turn off SSL.
I get the following error with SSL:
"An error has occurred while loading the RootDSE entry from myserver.mydomain.org:636.
i have called Godaddy and they say the certificate i purchased should be fine for LDAPS
The finalsite software only supports a handful of trusted CA's.
i can connect no problem, if i turn off SSL.
I get the following error with SSL:
"An error has occurred while loading the RootDSE entry from myserver.mydomain.org:636.
i have called Godaddy and they say the certificate i purchased should be fine for LDAPS
The finalsite software only supports a handful of trusted CA's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All you need is "Domain Controller" certificate
Also if you change certificate FQDN other than domain controller actual FQDN, it won't work, this is prerequisite for LDAPS
https://support.microsoft.com/en-us/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca
It is as good as standard SSL certificate with server auth as a EKU