| Author |
Message |
William
Guest
|
 Posted:
Fri Oct 14, 2005 8:51 am Post subject:
Using AD server as a ldap server and 4k bit server certifica |
|
|
Hi guys,
I am trying to use CA service on Windows 2003 Server to create a 4k bit
self-signed CA certificate and use it to sign a 4k bit AD server certificate.
Then I exported the self-signed CA certificate to the client that will use
this certificate to bind to the AD server ( as a ldap server on port:636
using SSL/TLS; the AD server is also Domain controller and Certification
Authority). However, client and server handshaking was failed. I also used
the same CA certificate to sign a 1k bit server certifivate, my client
(openssl s_client) can bind to the AD server successfully.
It appears to me that the AD server cannot handle 4k bit server certificate.
If anyone can give me light on this I would appriciate it. Thanks in advance.
William |
|
| Back to top |
|
 |
S. Pidgorny
Guest
|
| Posted:
Sun Oct 16, 2005 8:50 am Post subject:
Re: Using AD server as a ldap server and 4k bit server certi |
|
|
Have you tried proper elimination during the troubleshooting process, e.g.:
- using another type of client like a Windows XP workstation and any of MS
tools to bind to the LDAPs server (eliminating: openssl client issue)
- using the keys/certificate for HTTP service and openssl as well as other
clients to connect to the server (eliminating: LDAP issue)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"William" <William@discussions.microsoft.com> wrote in message
news:2A34053C-0A45-4BE7-97B3-857EF08B0717@microsoft.com...
| Quote: | Hi guys,
I am trying to use CA service on Windows 2003 Server to create a 4k bit
self-signed CA certificate and use it to sign a 4k bit AD server
certificate.
Then I exported the self-signed CA certificate to the client that will use
this certificate to bind to the AD server ( as a ldap server on port:636
using SSL/TLS; the AD server is also Domain controller and Certification
Authority). However, client and server handshaking was failed. I also used
the same CA certificate to sign a 1k bit server certifivate, my client
(openssl s_client) can bind to the AD server successfully.
It appears to me that the AD server cannot handle 4k bit server
certificate.
If anyone can give me light on this I would appriciate it. Thanks in
advance.
William |
|
|
| Back to top |
|
|
William
Guest
|
| Posted:
Mon Oct 17, 2005 8:51 am Post subject:
Re: Using AD server as a ldap server and 4k bit server certi |
|
|
"S. Pidgorny <MVP>" wrote:
| Quote: | Have you tried proper elimination during the troubleshooting process, e.g.:
- using another type of client like a Windows XP workstation and any of MS
tools to bind to the LDAPs server (eliminating: openssl client issue)
- using the keys/certificate for HTTP service and openssl as well as other
clients to connect to the server (eliminating: LDAP issue)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"William" <William@discussions.microsoft.com> wrote in message
news:2A34053C-0A45-4BE7-97B3-857EF08B0717@microsoft.com...
Hi guys,
I am trying to use CA service on Windows 2003 Server to create a 4k bit
self-signed CA certificate and use it to sign a 4k bit AD server
certificate.
Then I exported the self-signed CA certificate to the client that will use
this certificate to bind to the AD server ( as a ldap server on port:636
using SSL/TLS; the AD server is also Domain controller and Certification
Authority). However, client and server handshaking was failed. I also used
the same CA certificate to sign a 1k bit server certifivate, my client
(openssl s_client) can bind to the AD server successfully.
It appears to me that the AD server cannot handle 4k bit server
certificate.
If anyone can give me light on this I would appriciate it. Thanks in
advance.
William
|
|
|
| Back to top |
|
|
William
Guest
|
| Posted:
Mon Oct 17, 2005 8:51 am Post subject:
Re: Using AD server as a ldap server and 4k bit server certi |
|
|
Hi Svyatoslav,
Thanks for your suggestions. I have tried to use openssl s_client to connect
to openldap slapd server using 4k bit CA cert and 4k bit server cert. It
works fine.
So I am now highly suspect that AD server could not handle 4k bit server
cert somehow.
You suggested to use other servers and client tools. Could you give me more
details about that. Thanks
William
"S. Pidgorny <MVP>" wrote:
| Quote: | Have you tried proper elimination during the troubleshooting process, e.g.:
- using another type of client like a Windows XP workstation and any of MS
tools to bind to the LDAPs server (eliminating: openssl client issue)
- using the keys/certificate for HTTP service and openssl as well as other
clients to connect to the server (eliminating: LDAP issue)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"William" <William@discussions.microsoft.com> wrote in message
news:2A34053C-0A45-4BE7-97B3-857EF08B0717@microsoft.com...
Hi guys,
I am trying to use CA service on Windows 2003 Server to create a 4k bit
self-signed CA certificate and use it to sign a 4k bit AD server
certificate.
Then I exported the self-signed CA certificate to the client that will use
this certificate to bind to the AD server ( as a ldap server on port:636
using SSL/TLS; the AD server is also Domain controller and Certification
Authority). However, client and server handshaking was failed. I also used
the same CA certificate to sign a 1k bit server certifivate, my client
(openssl s_client) can bind to the AD server successfully.
It appears to me that the AD server cannot handle 4k bit server
certificate.
If anyone can give me light on this I would appriciate it. Thanks in
advance.
William
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Mon Oct 17, 2005 12:50 pm Post subject:
Re: Using AD server as a ldap server and 4k bit server certi |
|
|
Ok, here's something for you to try:
* Use exising 4K cert to configure a secure site in IIS on the same server
w/LDAP. See if you can connect to the Web site using HTTPs in IE and Firefox
or Safari. That will make sure that schannel picks up the cert from computer
strore (where it should be) and can use it.
* Install Stunnel on the server and use the cert to create SSL wrapper for
LDAP. See if you can connect to the service
* Use alternative LDAP clients, like Microsoft's ADSI Edit and LDAP Browser
from Softerra (www.ldapbrowser.com) against all the servers - native LDAPs,
Stunnel-wrapped, and slapd
If the cert is in the right store and you have followed the right procedure
to enable ldaps (and the DC is listening on 636/TCP), yet all scenarios but
native support work - perhaps, there's a limitation. 1K erts are reasonable
for practical purposes though.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"William" <William@discussions.microsoft.com> wrote in message
news:D9AC1A71-242D-44B2-B467-C63CC2BAFB0B@microsoft.com...
| Quote: | Hi Svyatoslav,
Thanks for your suggestions. I have tried to use openssl s_client to
connect
to openldap slapd server using 4k bit CA cert and 4k bit server cert. It
works fine.
So I am now highly suspect that AD server could not handle 4k bit server
cert somehow.
You suggested to use other servers and client tools. Could you give me
more
details about that. Thanks
William
"S. Pidgorny <MVP>" wrote:
Have you tried proper elimination during the troubleshooting process,
e.g.:
- using another type of client like a Windows XP workstation and any of
MS
tools to bind to the LDAPs server (eliminating: openssl client issue)
- using the keys/certificate for HTTP service and openssl as well as
other
clients to connect to the server (eliminating: LDAP issue)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"William" <William@discussions.microsoft.com> wrote in message
news:2A34053C-0A45-4BE7-97B3-857EF08B0717@microsoft.com...
Hi guys,
I am trying to use CA service on Windows 2003 Server to create a 4k
bit
self-signed CA certificate and use it to sign a 4k bit AD server
certificate.
Then I exported the self-signed CA certificate to the client that will
use
this certificate to bind to the AD server ( as a ldap server on
port:636
using SSL/TLS; the AD server is also Domain controller and
Certification
Authority). However, client and server handshaking was failed. I also
used
the same CA certificate to sign a 1k bit server certifivate, my
client
(openssl s_client) can bind to the AD server successfully.
It appears to me that the AD server cannot handle 4k bit server
certificate.
If anyone can give me light on this I would appriciate it. Thanks in
advance.
William
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in