|
Posted by S. Pidgorny on October 17, 2005, 7:52 pm
Please log in for more thread options Ok, here's something for you to try:
* Use exising 4K cert to configure a secure site in IIS on the same server
w/LDAP. See if you can connect to the Web site using HTTPs in IE and Firefox
or Safari. That will make sure that schannel picks up the cert from computer
strore (where it should be) and can use it.
* Install Stunnel on the server and use the cert to create SSL wrapper for
LDAP. See if you can connect to the service
* Use alternative LDAP clients, like Microsoft's ADSI Edit and LDAP Browser
from Softerra (www.ldapbrowser.com) against all the servers - native LDAPs,
Stunnel-wrapped, and slapd
If the cert is in the right store and you have followed the right procedure
to enable ldaps (and the DC is listening on 636/TCP), yet all scenarios but
native support work - perhaps, there's a limitation. 1K erts are reasonable
for practical purposes though.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> Hi Svyatoslav,
> Thanks for your suggestions. I have tried to use openssl s_client to
connect
> to openldap slapd server using 4k bit CA cert and 4k bit server cert. It
> works fine.
> So I am now highly suspect that AD server could not handle 4k bit server
> cert somehow.
>
> You suggested to use other servers and client tools. Could you give me
more
> details about that. Thanks
>
> William
>
> "S. Pidgorny <MVP>" wrote:
>
> > Have you tried proper elimination during the troubleshooting process,
e.g.:
> >
> > - using another type of client like a Windows XP workstation and any of
MS
> > tools to bind to the LDAPs server (eliminating: openssl client issue)
> > - using the keys/certificate for HTTP service and openssl as well as
other
> > clients to connect to the server (eliminating: LDAP issue)
> >
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> > > Hi guys,
> > > I am trying to use CA service on Windows 2003 Server to create a 4k
bit
> > > self-signed CA certificate and use it to sign a 4k bit AD server
> > certificate.
> > > Then I exported the self-signed CA certificate to the client that will
use
> > > this certificate to bind to the AD server ( as a ldap server on
port:636
> > > using SSL/TLS; the AD server is also Domain controller and
Certification
> > > Authority). However, client and server handshaking was failed. I also
used
> > > the same CA certificate to sign a 1k bit server certifivate, my
client
> > > (openssl s_client) can bind to the AD server successfully.
> > >
> > > It appears to me that the AD server cannot handle 4k bit server
> > certificate.
> > > If anyone can give me light on this I would appriciate it. Thanks in
> > advance.
> > >
> > > William
> >
> >
> >
| 
XML Sitemap