Enabling TLS for Active Directory Connection

The following describes how to optionally enable TLS for the Active Directory (AD) connection.

There are currently 3 Trust Manager Types supported. They can be selected in the MS Auto-enrollment alias page.

Authentication Key Binding

Step 1 - Set up Authentication Key Binding 

An authentication key binding can be used to establish trust and enable TLS for the Active Directory connection. The key binding needs to be bound to the Issuing CA certificate.

For instructions, see Setting up a Remote Authenticator.

Step 2 - Enrolling TLS Certificate to your AD's Local Store

Following the MS Auto-enrollment setup of EJBCA, your Active Directory should have a computer certificate enrolled through EJBCA.

Certificate Requirements:

This certificate may be used as server certificate for the LDAPS connection, though a separate certificate can be enrolled for this purpose as well. Whichever certificate is used, it has to fulfil the following criteria:

• LDAPS certificate is located in the Local Computer's Personal certificate store.

• The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) OID.

• The Active Directory fully qualified domain name of the domain controller must exist as DNS Name in the Subject Alternative Name extension (this can be achieved by enrolling using a Certificate Template with "DNS name included as alternative name")

Step 3 - Enable TLS Settings in EJBCA

As the final step, enable the TLS connection:

1. In EJBCA, select AutoEnrollment Configuration, and edit alias.

2. Specify the following:

   • Select Use SSL.

   • Select Authentication Key Binding as Trust Manager Type.

   • Select the Key Binding created in Enabling TLS for Active Directory Connection#Step 1 - Set up Authentication Key Binding.

   • Change Active Directory Port to the TLS port of your AD. The default port is 636.

3. Click Save and then click Test Connection to confirm the connection.

Imported CA Certificates

Alternatively, trust can be established using CA certificates in EJBCA's database. To enable this option:

1. In EJBCA, select AutoEnrollment Configuration, and edit alias.

2. Specify the following:

   • Select Use SSL.

   • Select Trust Imported CA Certificates as Trust Manager Type.

   • Change Active Directory Port to the TLS port of your AD. The default port is 636.

3. Click Save and then click Test Connection to confirm the connection.

Local Trust Store

Another way to establish trust for SSL connection to AD is to import your Issuing CA certificate into your local trust store. To enable this option:

1. Import Issuing CA certificate(s) into your local trust store.

# And example usage:
cd $JAVA_HOME/jre/lib/security
keytool -import -trustcacerts -alias IssuingCA.cacert.pem -file /file/location/IssuingCA.cacert.pem -keystore cacerts

2. In EJBCA, select AutoEnrollment Configuration, and edit alias.

3. Specify the following:

   • Select Use SSL.

   • Select Local Trust Store as Trust Manager Type.

   • Select the Key Binding created in Enabling TLS for Active Directory Connection#Step 1 - Set up Authentication Key Binding.

   • Change Active Directory Port to the TLS port of your AD. The default port is 636.

4. Click Save and then click Test Connection to confirm the connection.