Add CA Certificate to Keystore for LDAP Authentication on Windows Software deployments
03/26/2020 1,051 People found this article helpful 94,380 Views
Adding a CA certificate to the Keystore for LDAP Authentication on a Software (Windows) deployment of GMS
When domain users are given permissions to use GMS, it is possible to configure the LDAP communication using TLS for secured communication between the GMS server and the LDAP server. This requires a trusted, signed certificate for the LDAP Authentication server.
Typically, the Certificate Authority (CA) which signs these TLS certificates for LDAP Authentication servers is itself an internal corporate Domain Controller, as opposed to a trusted public CA.
Therefore, it's root CA Certificate needs to be added to the GMS Certificates keystore, so it can be recognized as a trusted Certificate Authority for singing the trusted, signed certificate.
Step 1: Export copy of LDAP CA certificate from AD server and copy to desktop of GMS server.
Step 2: Run command prompt on GMS server using cmd from [installDir]:\GMSVPjrebin
keytool -import -alias <createAlias> -file <full path of the certificate(.cer/.crt) file on your system> -trustcacerts -keystore C:GMSVPjrelibsecuritycacerts
(below is an example, where GMS is installed on the C drive, the alias given to the CA certificate is named "cacertificate" and the file is saved on the Administrator's desktop as "cacertificateexport.cer")
keytool -import -alias cacertificate -file C:WindowsusersAdministratorDesktopcacertificateexport.cer -trustcacerts -keystore C:GMSVPjrelibsecuritycacerts
Password is changeit
Step 3: Once imported, rename the jssecacerts file in [installDir]:GMSVPjrelibsecurity directory. (example: jssecacertsold)
Step 4: Make a copy of the cacerts file (which was modified in step2) and rename only the copied file to jssecacerts.
Step 5: Restart Server and test LDAP config.