Configuring LDAP Server Certificates
An LDAP server's certificate can be CA-signed or self-signed. This section describes how to initially configure certificates and how to manage a new certificate when the previous certificate expires.
Initially Configuring LDAP Server Certificates
For more information about trusted certificates, see the sections about trusted certificates in Configuring Certificates.
You can supply a list of trusted CA certificates. LDAP server certificates issued by those trusted CAs do not require special management.
If an LDAP server's certificate is not issued by a trusted CA, whether the certificate is issued by a CA or is self-signed, you will be asked to review and approve the certificate. The Accept LDAP Server Certificate dialog box displays information about the certificate and requests that you accept or reject the certificate. If you accept the certificate, that certificate is added to the list of trusted certificates.
Managing Expired and New LDAP Server Certificates
If you individually accepted a certificate, either a CA-signed certificate or a self-signed certificate, then when the LDAP server's certificate expires, you must approve the new certificate. Select the server, test the connection, and examine and approve the new certificate. See Approving a New LDAP Server Certificate - BUI, CLI.
If you supply CA certificates, changes in the individual server certificates are handled automatically. When your server changes CA certificates, ensure that the new CA certificate is added to the appliance before your LDAP server starts using it. If the server starts using the new CA certificate before you add it to the appliance, your LDAP service will be interrupted.
Approving a New LDAP Server Certificate (BUI)
Use this procedure to accept a new certificate after the previous certificate expired.
Before You Begin
TLS must be enabled. Make sure the Enable SSL/TLS box is checked.
Related Topics