Back to OP5 Monitor FAQ

Certificate management for LDAP SSL (sldap) with Active Directory

Disclaimer Copied

Articles in the “Unsupported Community Documents” space are not supported by ITRS Group.

This how-to will help you use LDAP SSL with AD authentication.

Install Active Directory Certificate Services (AD CS) Copied

To create a certificate, start with installing the Active Directory Certificate Services (AD CS) role if it is not already installed and create a root certificate.

1. Add a new server role.

   

   Select “Active Directory Certificate Services” and click Next.

2. Click “Add features”.

   

3. Click Next without selecting any features.

   

4. Click Next.

   

5. Select “Certification Authority” and click Next.

   

6. Click Install.

   

7. When the installation is complete, you’ll get a task to configure AD CS. Click the task to open the configuration wizard.

   

8. Click Next to use your current credentials.

   

9. Click Next.

   

10. Click Next.

    

11. Click Next.

    

12. Click Next.

    

13. Select SHA256 (or the appropriate settings for your company’s security policy).

    

14. Click Next.

    

15. Click Next.

    

16. Click Next.

    

17. Click Configure.

    

Export certificate to OP5 Monitor Copied

In order for the OP5 Monitor server to verify the server’s certificate, the public certificate is exported from the Windows server.

1. Run the following from the command prompt.

   certutil -ca.cert client.crt
   

   

2. Copy the exported file (client.cer) to the OP5 Monitor server.

Import certificate into OP5 Monitor Copied

1. Install the certificate on the OP5 Monitor server by running:

   # certutil -A -d /etc/openldap/certs/ -n ref-win-01 -t C -i /root/client.crt
   

   To verify that the certificate was installed, run:

   # certutil -O -d /etc/openldap/certs/ -n ref-win-01
   

2. Make the certificate database readable by apache by running:

   # chgrp apache /etc/openldap/certs/* && chmod g+r /etc/openldap/certs/*
   

   

3. (Optional) If you have a self-signed certificate and want to bypass validation, edit /etc/openldap/ldap.conf and add:

   TLS_REQCERT allow
   

   

   If you have a valid certificate this is not needed, you can leave it to the defaults. See man ldap.conf for more information.

4. Restart Apache by running:

   # service httpd restart # EL6
   # systemctl restart httpd # EL7
   

Related information: TLS error -8179: Peer’s Certificate issuer is not recognized Copied

The steps provided in this document can serve to resolve the “8179:Peer’s Certificate issuer is not recognized” error. Because it’s likely to already have a root certificate for your domain, you can start at step titled “Export certificate to OP5 Monitor”. Alternatively, using the certificates snap-in MMC you can export the root certificate for your domain in the format, saving with .cer extension. Continuing afterward to complete the step “Import certificate into OP5 Monitor” mentioned above.