I'm working on setting up LDAPS for an application and need to use a certificate. We have a Microsoft two-tier Certificate Authority infrastructure, and I'm aware that the Kerberos Authentication certificate template is applied for LDAPS on the Domain Controllers. My main question is about which certificate should be used on the application side. Should the application trust the Root CA certificate or the Intermediate CA certificate?
4 Answers
To answer the question about which certificate to use on the application side: you should use the certificate that's deployed by the LDAPS server. You can check this through the computer certificates management console or by using a command like `openssl s_client -connect your.ldap.server.domain:636`.
It's important to understand that trusting the entire certificate chain is distinct from certificate authentication. In this case, the end device should trust the root CA, while the service providing the certificates needs to include all intermediaries in the chain. If your application only trusts the intermediate, it can lead to issues since the root CA is necessary for establishing a complete chain of trust.
Why would you not trust the root CA? It's crucial for establishing security. I’ve seen a lot of setups fail because admins did not upload the complete certificate chain. Trusting just the intermediate means you'd have to manually manage it on every client, which is less than ideal.
Honestly, for simplicity, I would recommend installing both the Root CA and Intermediate CA on the application. This way, you minimize potential issues, especially if the LDAP service doesn't serve the intermediate certificate properly.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures