In some cases, you may use multiple certificates for SSL. In most cases, uploading the AD root certificate as a directory trust is the only certificate that you need to make LDAP over SSL work. However, if a different directory trust certificate is uploaded, that is, one other than a root certificate, that other certificate must be verified to a higher level certificate, such as a root certificate. In this case, a certificate chain is created because more than one extra certificate is involved. For example, you may have the following certificates in your certificate chain:
Root Certificate—The top-level CA certificate in the trust chain which will have similar issuer and the subject name.
Intermediate Certificate—The CA certificate that is part of the trust chain (other than the top level). This follows the hierarchy starting from root till the last intermediate.
Leaf Certificate—The certificate issued to the service/server which is signed by the immediate intermediate.
For example, your company has two certificates and a root certificate in your certificate chain. The following example shows the contents of a certificate:
- Version: 3 (0x2)
- Serial Number:
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: DC=com, DC=DOMAIN3, CN=jim
Not Before: Apr 13 14:17:51 2009 GMT
Not After: Apr 13 14:26:17 2014 GMT
- Subject: DC=com, DC=DOMAIN3, CN=jim
If you have a two node chain, the chain contains the root and leaf certificate. In this case, uploading the root certificate to the directory trust is all you need to do.
If you have more than a two node chain, the chain contains the root, leaf, and intermediate certificates. In this case, the root certificate and all the intermediate certificates, excluding the leaf certificate, needs to be uploaded to the directory trust.
At the highest level in the certificate chain, that is, for the root certificate, check to make sure that the Issuer field matches the Subject field. If the Issuer field and Subject field do not match, the certificate is not a root certificate; it is an intermediate certificate. In this case, identify the complete chain from root to the last intermediate certificate, and upload the complete chain to the directory trust store.
In addition, check the Validity field to ensure the certificate has not expired. If the intermediate is expired, get the new chain from the certificate authority, along with the new leaf that is signed by using the new chain. If only the leaf certificate is expired, get a new signed certificate.