DEVHIDE
Login Or Sign up

LDAP as a Certificate authority

170 Views Asked by At

I am working on a system that is a closed network, that has very limited access to the internet. We set up an ngnix docker (config at the bottom) to handle SSL. The system has its own Certificate Authority, so we submitted a Certificate signing request, and got it back from them. When i put the cert and key into ngnix, i got the cert served , however it had an err_cert_authority_invalid See Image. When i look at the CA URI it is and ldap url ldap://{ldap stuff}

I can do an ldap search, with the data from the certs CA URI that will return the cACertificate

The cert has and ldap string as the cert authority which is not something i have worked with before, so i think i have all the things i need, but i am unsure how to put it together.

My best guess is that there is some issue with needing an ldap client installed on the docker running ngnix to resolve the CA? Or is it that i have to use ldap search to get the other certs and install them?

server {
    listen 443 default_server ssl ipv6only=off;
    server_name some.thing.edu;

    ssl_certificate /etc/ssl/certs/sigend.crt;
    ssl_certificate_key /etc/ssl/private/private.key;

    location / {
        proxy_pass         http://app_web;
        proxy_redirect     off;
        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_buffer_size           128k;
        proxy_buffers               4 256k;
        proxy_busy_buffers_size     256k;
    }
}

enter image description here

ldap nginx-reverse-proxy certificate-authority
Original Q&A
1

There are 1 best solutions below

0
nemisis enforcer On

I have worked through this, my mis understanding was that the CA certs need to be on the browser side and not validated on the server side.

However we still had an issue because we were connecting via a VPN and not SSO set up on our machines. We got around this by using an ldap search to pull back the certs, and then install them directly into the key store and trust them.

ldapsearch -x -D $adminDN -w $pass -h $ldapHost -b $base

The base variable was the value of the Certificate Authority ldap uri (without the ldap:// and some un rul encoding)

Related Questions in LDAP

Related Questions in NGINX-REVERSE-PROXY

Related Questions in CERTIFICATE-AUTHORITY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.