Certificate Enrollment Gateway requires the CA certificate chain of Active Directory's server certificate. When connecting to Active Directory, Certificate Enrollment Gateway will use the CA certificate chain to validate Active Directory's server certificate.
The CA certificate chain must be stored in one of the following files:
File | Description |
|---|---|
LDAPS Truststore | This file must be a PKCS #12 (P12) file. The file must contain at least one Trusted CA Certificate entry (TrustedCertEntry). You can re-use the CA Gateway Keystore if it contains the CA certificate chain. |
LDAPS Trusted CA Certificates File | The file must be a PEM-formatted file. The file must contain at least one PEM-formatted CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. |
To generate an LDAPS Truststore (P12 file) using the Java keytool utility
- Obtain the CA certificate chain for Active Directory's server certificates, from the issuing CA certificate to the root CA certificate.
- Log in to a computer that has Java installed.
For each certificate, enter the following command to generate the LDAPS Trust Store file and import CA certificates into the trust store:
keytool -import-alias <alias> -trustcacerts -file <cert-file> -keystore <truststore>Where:
<alias>is an alias for the CA certificate. Use a different alias for each CA certificate you will import.<cert-file>is the path and file name of the CA certificate.<truststore>is the path and file name of the LDAPS Truststore. For example,ldapstruststore.p12. The utility will create the file if it does not exist.
For example:
keytool -import-alias cagw-root -trustcacerts -file /tmp/root.cer -keystore /home/user/ldapstruststore.p12- When prompted, enter a password for the truststore.
To generate an LDAPS Trusted CA Certificates File (PEM file)
- Log in to the server hosting Entrust Deployment Manager as the user account that owns Entrust Deployment Manager.
- Obtain the certificate chain for Active Directory's server certificates, from the issuing CA certificate to the root CA certificate.
- Open a text editor.
- Create a new file.
Paste the contents of each CA certificate file into the new file, from the issuing CA certificate to the root CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. For example:
-----BEGIN CERTIFICATE----<Issuing CA certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Root CA certificate in Base64 encoding>-----END CERTIFICATE-----The text file should look similar to the following:
-----BEGIN CERTIFICATE----MIIDejCCAmKgAwIBAgIQQ8e7ock59Y21Mtcy7rGJUDANBgkqhkiG9w0BAQs...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIQ0EgRW50cnkwHhcNMjMwMjA4MTUxNzEwWhcNMzMwMjA4MTU0NzEwWjAyM...-----END CERTIFICATE------ Save and close the file.