We had a requirement to install 3rd party SSL certificate for LDAP. I followed MS KB at http://support.microsoft.com/kb/321051 and the certificate installed under personal folder and I am able to see it properly. I installed certificate in our PDC server which is windows 2008 R2 with SP1. We does not have any certificate server in our environment as well.
Now, the problem is that the LDAPS is not working which I checked via LDP.exe.
Is there anything that am I missing like binding ldap certificate?
Could you please advise me to test whether the certificate is installed properly and any troubleshooting method please.
LDAP SSL certificate installation issue
- 245 Views
- Last Post 20 March 2015
Does the cert’s subject name or first SAN entry match the FQDN of the DC? Does it have the Server Authentication EKU?
Both of those are required for AD to pick the cert and bind it.
Once, one of my collegue had the same issue while testing LDAPs with ldp.exe. He was doing his connection test to the IP address
of LDAP server. But if you are testing LDAPS, you have to test connection to the hostname written on certificate.
Despite what it says in the KB article, I have found it necessary to re-boot the server… Dave WadeG4UGM
I had rebooted the server as well but still failing on LDAPS request. I ran "certutil -viewstore My" command and found two issue.
#1. Under general tab of at the certificate properties, it is showing as Windows does not have enough information to verify this certificate as per below screenshot.
#2. under Certification path, It is only showing FQDN of the DC name but it must be shown as 3rd party root CA and then this DC fqdn underneath. moreover, at the bottom it is mentioned as The issuer of this certificate could not be found" message as per below screenshot.
I am able to see everything proper under Details tab as per my understanding.
I tested using FQDN of the server name and IP address from that DC itself. Anything am I missing here to test which you are referring please ?
Ensure that the appropriate vendor root and intermediate certificates exist in the trusted root and intermediate stores on the DC and all machines that need to
connect to it. When you ordered the cert they would have provided links to the correct root/intermediate certs.
Verify you are using the correct ones as many vendors are now issuing SHA2 based certs by default based on different root/inter certs. Certs from that vendor
will have ’just worked’ for years as you had the correct root/inter certs too, but new certs will now not work as they are based on the new root. last year I had an issue where Globalsign told me to use the wrong intermediate cert, one was SHA1 and one SHA256
but both had almost identical names.
Look at the certificate path, do you have all of the certificates in that path installed on your machine? Issuing CA? Intermediate CA? Root CA?
(assuming this is a windows box.. since you're using ldp)
open mmc, add certificates snap-in, select local computer.
Look at Trusted Root Certification Authorities, see the root CA of your SSL cert there? How about in Intermediate Certification Authorities?
Below I pulled the SSL certificate for mail.google.com while looking at this thread, to the right I have my Certificates snap-in and navigated to where the Equifax certificate is.. Do you have the same for your cert?
Hope this helps.
Hi Duy Le,
It is really more interesting to me question with screenshot provided by you!
I see that it is mentioning as per below screenshot (the shaded one is FQDN of our server name where the certificate is issued to:).Currently, I had installed under personal folder. I think, it must not be under this container and it look be under Intermediate Certification Authority container).
I will be trying this as part of change management process soon then keep you inform!
Thank you very much all !!!