There are situations in which it is desired to configure the Endpoint Security Server to connect to a Domain Controller (DC) via LDAPS.
Proceed as follows:
(1) Find index of SSL certificate
On a DC that is configured to support LDAPS, export a list of imported certificates:
CertUtil -store -v MY
The output of this command is a list of certificates, separated by a row, as shown below "==Certificate 0==", where 0 is index of certificate.
- You can redirect output of this command to a file (e.g., CertUtil -store -v MY > C:\certificates.txt).
- You can use Certificate Manager Tool to export the certificate(s).
In the export list of certificates, find the certificate:
- with subject that is DC FQDN (in our example below, it is "DC.mulberry.com")
- in which one of certificate extensions is OID 184.108.40.206.220.127.116.11.1 (Server Authentication)
- in which issuer is CA name (in our example below, it is "ext")
Get the certificate's index - this is a number, which appears in the separation header before each certificate (in the following fragment it is == Certificate 0 ==).
================ Certificate 0 ================
Serial Number: 1b9b02cb00000000000c
Algorithm ObjectId: 1.2.840.113518.104.22.168 sha1RSA
Algorithm Parameters: 05 00
NotBefore: 19/07/2012 15:45
NotAfter: 19/07/2013 15:55
Certificate Extensions: 7
22.214.171.124: Flags = 1(Critical), Length = 4
Digital Signature, Key Encipherment (a0)
126.96.36.199: Flags = 0, Length = c
Enhanced Key Usage
Server Authentication (188.8.131.52.184.108.40.206.1)
(2) Save certificate to a file
CertUtil -store MY <certificate_index> <path_to>\<file_name>
CertUtil -store MY 0 C:\ServerCert.cer
(3) Import certificate to the keystore of Endpoint Security Server
- Copy the certificate file to the Endpoint Security Server.
Go to the "jre" directory:
- On Windows OS: %UEPMDIR%\engine\jre
- On Gaia OS: $UEPMDIR/engine/jre
Note: On R80.x server - $CPDIR/jre_32 or $CPDIR/jre_64
Import the certificate to the keystore:
You will be prompted to enter a password.
The default password is "changeit".
At the end of the import, you will be asked "Trust this certificate?[no]" - confirm by entering y to complete the process.
Output should be "Certificate was added to the keystore".
Restart the Endpoint Security Server: