LDAP SSL certificate installation issue

  • 159 Views
  • Last Post 20 March 2015
sampathmanova posted this 13 March 2015

Hi Experts,
We had a requirement to install 3rd party SSL certificate for LDAP. I followed MS KB at http://support.microsoft.com/kb/321051 and the certificate installed under personal folder and I am able to see it properly. I installed certificate in our PDC server which is windows 2008 R2 with SP1. We does not have any certificate server in our environment as well.
Now, the problem is that the LDAPS is not working which I checked via LDP.exe.
Is there anything that am I missing like binding ldap certificate?
Could you please advise me to test whether the certificate is installed properly and any troubleshooting method please.
Thank you,Sampath

Order By: Standard | Newest | Votes
bdesmond posted this 13 March 2015

Does the cert’s subject name or first SAN entry match the FQDN of the DC? Does it have the Server Authentication EKU?

 

Both of those are required for AD to pick the cert and bind it.

 

 

 

show

evrensev posted this 13 March 2015

Once, one of my collegue had the same issue while testing LDAPs with ldp.exe. He was doing his connection test to the IP address

of LDAP server. But if you are testing LDAPS, you have to test connection to the hostname written on certificate.

 

Evren Sevilmiş





 

show

g4ugm posted this 13 March 2015

Despite what it says in the KB article, I have found it necessary to re-boot the server… Dave WadeG4UGM  

show

sampathmanova posted this 13 March 2015

I had rebooted the server as well but still failing on LDAPS request. I ran "certutil -viewstore My" command and found two issue.
#1. Under general tab of at the certificate properties, it is showing as Windows does not have enough information to verify this certificate as per below screenshot.
Inline image 1
#2. under Certification path, It is only showing FQDN of the DC name but it must be shown as 3rd party root CA and then this DC fqdn underneath. moreover, at the bottom it is mentioned as The issuer of this certificate could not be found" message as per below screenshot.
Inline image 2
I am able to see everything proper under Details tab as per my understanding.

show

sampathmanova posted this 13 March 2015

Hi,
I tested using FQDN of the server name and IP address from that DC itself. Anything am I missing here to test which you are referring please ?
Best Regards,Sampath


show

danj posted this 13 March 2015

Ensure that the appropriate vendor root and intermediate certificates exist in the trusted root and intermediate stores on the DC and all machines that need to

connect to it. When you ordered the cert they would have provided links to the correct root/intermediate certs.



 

Verify you are using the correct ones as many vendors are now issuing SHA2 based certs by default based on different root/inter certs. Certs from that vendor

will have ’just worked’ for years as you had the correct root/inter certs too, but new certs will now not work as they are based on the new root. last year I had an issue where Globalsign told me to use the wrong intermediate cert, one was SHA1 and one SHA256

but both had almost identical names.

 

Dan

 

 

show

duykato posted this 18 March 2015

Look at the certificate path, do you have all of the certificates in that path installed on your machine? Issuing CA? Intermediate CA? Root CA?
(assuming this is a windows box.. since you're using ldp​)
open mmc, add certificates snap-in, select local computer.
Look at Trusted Root Certification Authorities, see the root CA of your SSL cert there? How about in Intermediate Certification Authorities?
Below I pulled the SSL certificate for mail.google.com while looking at this thread, to the right I have my Certificates snap-in and navigated to where the Equifax certificate is.. Do you have the same for your cert?

Hope this helps.


show

sampathmanova posted this 20 March 2015

Hi Duy Le,
It is really more interesting to me question with screenshot provided by you!
I see that it is mentioning as per below screenshot (the shaded one is FQDN of our server name where the certificate is issued to:).Inline image 1Currently, I had installed under personal folder. I think, it must not be under this container and it look be under Intermediate Certification Authority container).
I will be trying this as part of change management process soon then keep you inform!
Thank you very much all !!!
Cheers,Sampath


show

Close