HPE Community
Server Management - Remote Server Management
1833325 Members
2912 Online
110051 Solutions
New Discussion

Re: Schema-free directory settings. Which certificate is meant to be imported

 
SOLVED
Go to solution
Cederberg
Honored Contributor

‎11-17-2023 02:09 AM - last edited on ‎12-03-2023 06:53 PM by

‎11-17-2023 02:09 AM - last edited on ‎12-03-2023 06:53 PM by

Schema-free directory settings. Which certificate is meant to be imported

Hi.
We are looking in to using schema-free directory integration instead of the extended schema integration we have been using for years (Active directory).
My question is regarding the Certificate one can import. To me it's not very clear which Certificate we are meant to paste. I'm not a certificate expert and in my experiance different sfotware vendors mean different things when refering to a CA certificate.
Are we meant to import the exact certificate of the active directory server or the root + intermidate certificate which was used to issue/sign the certificate used on the Active directory server (Chain)?
Best Regards
//Cederberg

0 Kudos
Reply
5 REPLIES 5
GM_M
HPE Pro

‎11-21-2023 08:22 PM

‎11-21-2023 08:22 PM

Re: Schema-free directory settings. Which certificate is meant to be imported

Hi Cederberg ,

I hope this guide helps you to import CA certificate https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=sd00001038en_us&page=GUID-03624D12-0B38-4C91-A64C-A76ADC362207.html

I hope even this Video might be a bit of help
https://support.hpe.com/hpesc/public/videoDisplay?videoId=vtc00000858en_us

You need to import a CA signed certificate which is Signed from the Active Directory in your case.

Thanks and Regards,
Manoj.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Cederberg
Honored Contributor

‎11-21-2023 11:05 PM

‎11-21-2023 11:05 PM

Re: Schema-free directory settings. Which certificate is meant to be imported

Hi GM_M
I may be wrong here but the first link is to add a Web certificate to the ilo it self. The certificate i'm asking about is the one thats meant to verify that the LDAPS servers are using vaild certificates. It should be the chain, in our case the intermidiate + root certificate. But in other implementations from other manufacutrers it has been the exact certificate from the domain controller you need to point directly to.
In this link it only says import a new CA certificate
https://support.hpe.com/hpesc/public/docDisplay?docId=sd00002007en_us&page=GUID-D7147C7F-2016-0901-06D0-000000000D16.html
So im confused as to what certificate to use. I know i can skip importing a certificate and it will not verify the LDAPS certificate but that will lower the security implemented as it will accept any certificate then.

Regards
//Cederberg

0 Kudos
Reply
Rama2
HPE Pro

‎11-28-2023 11:24 PM

‎11-28-2023 11:24 PM

Re: Schema-free directory settings. Which certificate is meant to be imported

Kindly try to import the root certificate of the AD (Active Directory) in order to work.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Cederberg
Honored Contributor

‎11-28-2023 11:34 PM

‎11-28-2023 11:34 PM

Re: Schema-free directory settings. Which certificate is meant to be imported

Hi.

I have got it to work by importing the intermidiate+root certificate from our CA that also signs the Active directory servers LDAPS certificates.
The test still flags a warning Certificate subject Mismatch, verify OK.
As the intermidiate+ root CA is only the chain for the active directory certificates it makes sence. 
I also tried setting the LDAP server setting to a specific Domain controller instead of the dns roundrobin for the domain and import the certificate for that server but the test cam up with the same warning. Looking at the certificate that i imported it did not report a subject either. So i guess if i want it to work with no warning i need to get a new certificate with either a wildcard *.domainname or point to a specific domaincontroller and get a certificate with that domaincontrollers name in the subject.

Best ragards
Cederberg

0 Kudos
Reply
Rama2
HPE Pro

‎11-30-2023 06:55 PM

‎11-30-2023 06:55 PM

Solution

Re: Schema-free directory settings. Which certificate is meant to be imported

Yes, obtaining a wildcard certificate for *.domainname or obtaining a certificate specifically for the intended Domain Controller, with the Domain Controller's name included in the subject field, might eliminate the warning and ensure seamless LDAPS functionality. If you still encounter any issues, kindly raise a ticket with HPE for further troubleshooting



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.