You can configure the Centrify OpenLDAP proxy service to automatically get the certificate, private key, and CA chain for secure LDAP (ldaps) connections. To configure automatic enrollment for certificates, however, you must have an Active Directory domain controller that you can use as a certification authority for issuing certificates.
The following steps summarize how to prepare the domain controller:
- Use Server Manager to add the Active Directory Certificate Services role to a domain controller.
- In the Add Roles wizard, select the Certification Authority role service and follow the prompts displayed to configure the server role.
- Open the Certificates MMC snap-in, select the domain controller certificate, right-click, then click Open.
- Select the Details tab, click Copy to file, then follow the prompts displayed to export the certificate to a file.
- From Administrative Tools, select Group Policy Management, then select an appropriate Group Policy Object for the forest and domain you want to edit.
- Right-click the Group Policy Object, then click Edit.
- Under Computer Configuration, expand Policies > Windows Settings > Security Settings, then select Public Key Policies.
- Select Trusted Root Certificate Authorities, right-click to select Import, then follow the prompts displayed to import the certificate.
- Select Certificate Services Client - Auto-Enrollment, then select Enabled.
- From Administrative Tools, select Certification Authority, expand the name of the domain controller you are using as the certification authority, then select Certificate Templates.
- Right-click to select Manage, select an appropriate template to use, such as the Computer template, right-click, then click Duplicate Template to open the properties page for the new template.
- Type an appropriate name for the new template, such as Centrify OpenLDAP Proxy.
Click the Security tab, select the Domain Computers group, select Allow for the Autoenroll permission, then click Apply.
You can set other properties on the remaining tabs, as needed. For example, you might want to click the Subject Name tab to change the subject name format to Fully distinguished name. When you are finished setting properties for the template, click OK.
- In the Certification Authority console, select Certificate Templates, right-click to select New, then click Certificate Template to Issue.
- Select the template you created, for example, select the Centrify OpenLDAP Proxy template, then click OK.