Add a New LDAP Certificate Data Source

LDAP certificate sources can be used to load user or CA certificates from a directory server. Certificates loaded from an LDAP certificate source can be registered as certificates on the Management Console certificates page and as certificate issuers on the Management Console certificate issuers page.

To view the LDAP Certificate Source page, click Add a new LDAP Certificate data source on the Data Sources page.

Create LDAP Certificate Data Source Description

  1. Enter a unique, descriptive Name to identify the data source.

    This is the unique identifying name of the data source (for example, ldap-certificate-source1). This distinguishes this source from the other data sources so that it can be referenced individually.

  2. To prevent data from being retrieved from the data source when the Data Sources job runs, clear the Enabled option.

  3. To use the data source only for registering new certificate issuers, and not for adding certificates to the certificates page, clear the Register Certificates option, and then select at least one of the three options in the Certificate Issuers area.

Configure a LDAP Query Parameters

  1. To enter basic default values for the directory server, select the appropriate template from the Choose the type of LDAP type to apply default values for drop-down list.

    If you use a listed CA (Entrust, Verizon UniCERT, Microsoft, Identrust) as your directory server in the Choose LDAP type drop-down list, then select it in order to use the appropriate template.

    If not, then select Canonical CA.

    To erase all entered data from the form, select Clear all fields from this drop-down list.

  2. Specify the Directory URL that points to the LDAP directory that should perform the search. You can omit the default port (389 for LDAP and 636 for LDAPS), if desired.

  3. Enter the LDAP Base of which the search will be processed from.

    This is the distinguished name of the entry of the tree from which the search should be processed from. If this is an empty string, then the search will be relative to the root of the LDAP tree.

  4. Select the Scope from the drop-down list. The options are as follows:

    • Base - To search only the base entry.

    • One - To search for only the children of the base entry.

    • Sub - To search the base entry and all its descendants.

    This is the scope in which to perform the search. Valid values are Base for searching only the base entry, One for searching only the children of the base entry, and Sub for searching the base entry and all its descendants.

  5. Enter a LDAP Filter to filter records from the directory server.

    The LDAP filter string that is used to select records from the directory server. For full documentation on the allowable format of an LDAP filter string, refer to the RFC 2254 specifications.

    This is the LDAP search filter that indicates the search criteria to use for finding the records that hold certificate or CRL attributes. The syntax of the search filter is specified in RFC 2254, but the search string must be escaped to comply with proper XML formatting. In practical terms, this means that the ampersand (&) character must be replaced by &amp;, the left angle bracket (<) character must be replaced with &lt, and the right angle bracket (>) character by &gt. The search filter may contain the special values {0} and {1} which will be replaced by the last known modification time and creation time from this data source, respectively. This can be used to filter out records that have been previously retrieved.

  6. Enter a Return Attribute List that should be returned while searching the LDAP directory.

    This is the list of attributes that should be returned in the search of the LDAP directory for each entry. If this list is empty, then the search will return all of the attributes for each matching object in the directory.

  7. Enter the Certificate Attribute that contains the certificates.

    This is the attribute in the directory that contains the certificates. When an LDAP query for a record is made, the certificate is returned in this attribute.

  8. Enter the Cross Certificate Attribute.

    This is the attribute in the directory that contains cross certificate pairs. This property is used when requesting cross certificate pairs from the LDAP certificate source.

  9. Edit the time attribute in the Modify Time Attribute field.

    This is the name of the attribute that holds the modification timestamp for this data source.

  10. Enter the Principal.

    If set, this is the distinguished name of the directory user that will be performing the search on the LDAP directory. This typically corresponds to the DN of a specific user account on the LDAP directory that has permissions to perform the search. If this is not set, then the search will be anonymous.

  11. Enter the Credential.

    This is the credential information that is provided to authenticate the principal against the LDAP directory. This is only used if non-null, and if the principal property is also not null. In a "simple" authentication mode, this is typically set to the password on the principal's account. If no credentials are provided, then an unauthenticated connection will be attempted.

Register Certificate Issuers Automatically

  1. To automatically register new certificate issuers using CA certificates retrieved from the data source, select one of the following certificate types that should be automatically registered:

    • Self-Signed CA Certificates - To automatically register self-signed CA certificates retrieved from this data source as certificate issuers.

    • Subordinate CA Certificates - To automatically register subordinate (not self-signed) CA certificates retrieved from this data source as certificate issuers.

    • Version 1 Certificates -To automatically register version 1 certificates retrieved from this data source as certificate issuers.

    If you do not select any of these boxes, then certificate issuers will not be registered automatically.

  2. After you have entered the necessary information to configure the data source, test the data source.

  3. Click Save Data Source to save it.

Modify a LDAP Certificate Data Source

  1. On the Data Sources page, click the magnifying glass icon to the left of the LDAP certificate data source that you want to modify data source parameters.

  2. After you have entered the necessary information to modify the data source, test the data source.