Articles in this section

See more
Self help
How To
["How To"]

OP5 Monitor - Certificate management for LDAP SSL (sldap) with Active Directory

Avatar
ITRS Support
  • Updated
Follow

Disclaimer 

Articles in the "Unsupported Community Documents" space are not supported by ITRS Group.

This how-to will help you use LDAP SSL with AD authentication.

Install Active Directory Certificate Services (AD CS)

To create a certificate, start with installing the Active Directory Certificate Services (AD CS) role if it is not already installed and create a root certificate.

  1. Add a new server role

    Select "Active Directory Certificate Services" and click Next
     
  2. Click "Add features"
  3. Click Next without selecting any features
  4. Click Next
  5. Select "Certification Authority" and click Next
  6. Click Install
  7. When the installation is complete, you'll get a task to configure AD CS. Click the task to open the configuration wizard.
  8. Click Next to use your current credentials.
  9. Click Next
  10. Click Next
  11. Click Next
  12. Click Next
  13. Select SHA256 (or the appropriate settings for your company's security policy)
  14. Click Next
  15. Click Next
  16. Click Next
  17. Click Configure

Export certificate to OP5 Monitor

In order for the OP5 Monitor server to verify the server's certificate, the public certificate is exported from the Windows server.

  1. Run the following from the command prompt. 

    certutil -ca.cert client.crt

  2. Copy the exported file (client.cer) to the OP5 Monitor server.

Import certificate into OP5 Monitor

  1. Install the certificate on the OP5 Monitor server by running:

    # certutil -A -d /etc/openldap/certs/ -n ref-win-01 -t C -i /root/client.crt

    To verify that the certificate was installed, run:

    # certutil -O -d /etc/openldap/certs/ -n ref-win-01

  2. Make the certificate database readable by apache by running:

    # chgrp apache /etc/openldap/certs/* && chmod g+r /etc/openldap/certs/*

     

  3. (Optional). If you have a self-signed certificate and want to bypass validation, edit /etc/openldap/ldap.conf and add:

    TLS_REQCERT allow

    If you have a valid certificate this is not needed, you can leave it to the defaults. See man ldap.conf for more information.
  4. Restart apache by running:
    # service httpd restart # EL6
    # systemctl restart httpd # EL7

Related information: TLS error -8179:Peer's Certificate issuer is not recognized

The steps provided in this document can serve to resolve the "8179:Peer's Certificate issuer is not recognized" error. Because it's likely to already have a root certificate for your domain, you can start at step titled "Export certificate to OP5 Monitor". Alternatively, using the certificates snap-in MMC you can export the root certificate for your domain in the format, saving with .cer extension. Continuing afterward to complete the step "Import certificate into OP5 Monitor" mentioned above.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.