Configure LDAPS with Self-Signed Certificate (On-prem)


How can we configure LDAPS authentication with the OverOps backend server using a self-signed certificate or a certificate that may not reside on the server where the backend is running?


Any OverOps Backend Server

Any supported distros of Linux


Provide valid CA certificate to the same server where the backend is running and use the appropriate OS instructions to install it.

Linux (Ubuntu, Debian)

  1. Copy your CA to dir /usr/local/share/ca-certificates/
  2. Use command: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
  3. Update the CA store: sudo update-ca-certificates

Linux (CentOs 6)

  1. Install the ca-certificates package: yum install ca-certificates
  2. Enable the dynamic CA configuration feature: update-ca-trust force-enable
  3. Add it as a new file to /etc/pki/ca-trust/source/anchors/: cp foo.crt /etc/pki/ca-trust/source/anchors/
  4. Use command: update-ca-trust extract

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

Install the certificate onto the server. As an example, in Ubuntu, certificate can be installed by using the following commands:

cp /path/to/.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Using the above command will install the certificate in the location /etc/ssl/certs/ca-certificates.crt , in which this directory will have a long list of trusted CA certificates.

In order to validate connection, one can use the openssl command to try to connect to the LDAP server via ldaps using the CA certificates located inside /etc/ssl/cacerts/ .

openssl s_client -connect -CApath /etc/ssl/certs

If one gets a 200 OK, use the ldapsearch tool to query against the LDAP server though port 636 (ldaps://)

ldapsearch -x -D “cn=binduser,dc=company,dc=com” -W -H ldaps://<server_address> -b “dc=company,dc=com” -s sub ‘cn=test.user’