- LDAP over SSL (LDAPS) Certificate
- How to enable LDAP over SSL with a third-party certification authority
If your DualShield server is version 5.7 or earlier, then you must import the CA certificate of your AD server by following the instruction below. Otherwise, you can skip the step below
and proceed to Modifying the Identity Source on DualShield
Export CA Certificate from the AD Server
Once your AD server is configured to accept LDAPS connection, you need to export the CA certificate from your AD server.
The CA used to sign the LDAPS certificate is not necessary to be the one of your Certification Authority, so the safe way to locate the CA is to follow the steps below.
First, you need to find the SSL certificate of the AD server. There are 2 ways:
Once you have found the SSL certificate of the AD server, double click the certificate, go to the tab "Cetification Path"
In our example, the CA to sign the LDAPS certificate is the highlighted one "ca".
To export the CA certificate:
Import CA Certificate into DualShield
Next, you need to import the CA certificate into your DualShield's keystore. DualShield's keystore is a JAVA keystore and there is a tool included in the DualShield that can be used to import certificates. Follow the steps below:
you should now see the Portecle's user interface:
Please note that if you can double click the file portecle.jar to run this utility, then it is very likely that you have another JRE installed on this machine that is NOT the one used in DualShield. In that case, please choose the menu "Open Keystore File..." instead, then locate the file "cacerts" under DualShield installation folder.
Alternatively, you can import a root or intermediate CA certificate to an existing Java keystore with following command
C:\Program Files\Deepnet DualShield\jre\bin\keytool -import -trustcacerts -alias root -file yourca.crt -keystore C:\Program Files\Deepnet DualShield\jre\lib\security\cacerts
Once you have successfully import your AD's CA certificate into your DualShield's keystore, restart the DualShield server.
Modify the Identity Source on
Click on Identity>Identity Sources