LDAPS Self-Signed Certificate Trust Configuration
Introduction:
To connect to an LDAPS server using a self-signed certificate, you’ll need to add the certificate to the trusted authorities on your client system (Faveo Server). Follow these instructions based on your operating system.
1. Debian and Derivatives
Debian and Derivates include:
a. Debian 11 (Bullseye)
b. Debian 12 (Bookworm)
c. Ubuntu 20.04 (Focal Fosa)
d. Ubuntu 22.04 (Jammy Jellyfish)
1. Install Required Packages
Open a terminal and execute the following commands to install necessary packages:
sudo apt update
sudo apt install ldap-utils openssl
2. Trust the Self-Signed Certificate
a. Get the Certificate:
Use the following command to retrieve the certificate details:
openssl s_client -connect ldap.demo.com:636 -showcerts
Copy the certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it to a file, e.g., ldap_cert.crt.
b. Add the Certificate to Trusted Authorities:
Create a file for the certificate and add it to the trusted certificate store:
sudo nano /usr/local/share/ca-certificates/ldap_cert.crt
Paste the copied certificate into this file.
c. Update CA Certificates:
sudo update-ca-certificates
d. Verify Connection:
Test the LDAP connection:
ldapsearch -x -H ldaps://ldap.demo.com:636 -D "cn=admin,dc=demo,dc=com" -W -b "dc=demo,dc=com"
2. Red Hat and Derivatives
Red Hat and Derivatives include:
a. Alma 8
b. Alma 9
c. Rocky 8
d. Rocky 9
e. RHEL 8
f. RHEL 9
1. Install Required Packages
Open a terminal and execute the following commands to install necessary packages:
sudo yum install ldap-utils openssl
# or
sudo dnf install ldap-utils openssl
2. Trust the Self-Signed Certificate
a. Get the Certificate:
Use the following command to retrieve the certificate details:
openssl s_client -connect ldap.demo.com:636 -showcerts
Copy the certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it to a file, e.g., ldap_cert.crt.
b. Add the Certificate to Trusted Authorities:
Create a file for the certificate and add it to the trusted certificate store:
nano /etc/pki/ca-trust/source/anchors/ldap_cert.crt
Paste the copied certificate into this file.
c. Update CA Certificates:
sudo update-ca-trust
d. Verify Connection:
Test the LDAP connection:
ldapsearch -x -H ldaps://ldap.demo.com:636 -D "cn=admin,dc=demo,dc=com" -W -
3. Windows Server
1. Install Required Tools
Open SSL is not available for windows in .exe format the easiest way to install is by using a third-party software CHOCOLATEY.
Install “Chocolatey” a package management software for windows by using the below command.
Open Powershell.exe with Administrator Privilege, Paste the below command and hit enter
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
It may ask for permission please select yes for all and when the installation is over then enter the below command.
Open the command prompt with Administrator privilege and enter the below command to install OpenSSL.
choco install openssl
It will prompt and ask for ‘yes’ give ‘yes’ and wait till the installation gets done.
2. Trust the Self-Signed Certificate
a. Get the Certificate:
Use the following command to retrieve the certificate details, run it in command prompt window with Administrator Privileges:
openssl s_client -connect ldap.demo.com:636 -showcerts
Copy the certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it to a file, e.g., ldap_cert.crt.
b. Open Certificate Manager:
Press Win + R, type certmgr.msc, and press Enter.
c.Import the Certificate:
- Navigate to
Trusted Root Certification Authorities->Certificates. - Right-click on Certificates, select
All Tasks->Import. - Follow the wizard to import your ldap_cert.crt.