How to configure Endpoint Security Server to connect to Domain Controller (DC) via LDAPS
There are situations in which it is desired to configure the Endpoint Security Server to connect to a Domain Controller (DC) via LDAPS.
Proceed as follows:
(1) Find index of SSL certificate
On a DC that is configured to support LDAPS, export a list of imported certificates:
CertUtil -store -v MY
The output of this command is a list of certificates, separated by a row, as shown below "==Certificate 0==", where 0 is index of certificate.
- You can redirect output of this command to a file (e.g., CertUtil -store -v MY > C:\certificates.txt).
- You can use Certificate Manager Tool to export the certificate(s).
In the export list of certificates, find the certificate:
- with subject that is DC FQDN (in our example below, it is "DC.mulberry.com")
- in which one of certificate extensions is OID 188.8.131.52.184.108.40.206.1 (Server Authentication)
- in which issuer is CA name (in our example below, it is "ext")
Get the certificate's index - this is a number, which appears in the separation header before each certificate (in the following fragment it is == Certificate 0 ==).
================ Certificate 0 ================
Serial Number: 1b9b02cb00000000000c
Algorithm ObjectId: 1.2.840.1135220.127.116.11 sha1RSA
Algorithm Parameters: 05 00
NotBefore: 19/07/2012 15:45
NotAfter: 19/07/2013 15:55
Certificate Extensions: 7
18.104.22.168: Flags = 1(Critical), Length = 4
Digital Signature, Key Encipherment (a0)
22.214.171.124: Flags = 0, Length = c
Enhanced Key Usage
Server Authentication (126.96.36.199.188.8.131.52.1)
(2) Save certificate to a file
CertUtil -store MY <certificate_index> <path_to>\<file_name>
CertUtil -store MY 0 C:\ServerCert.cer
(3) Import certificate to the keystore of Endpoint Security Server
- Copy the certificate file to the Endpoint Security Server.
Go to the "jre" directory:
- On Windows OS: %UEPMDIR%\engine\jre
- On Gaia OS: $UEPMDIR/engine/jre
Note: On R80.x server - $CPDIR/jre_32 or $CPDIR/jre_64
Import the certificate to the keystore:
You will be prompted to enter a password.
The default password is "changeit".
At the end of the import, you will be asked "Trust this certificate?[no]" - confirm by entering y to complete the process.
Output should be "Certificate was added to the keystore".
Restart the Endpoint Security Server: