4

LDAPS is working through ldp.exe and through a number of other programs on windows and linux systems that do not appear to require the Root Cert. at all. Some programs which use JSSE fail to connect after importing the root and intermediate CA into the cacerts truststore.

I've tested importing the LDAPS certificate present in NTDS\Personal (from AD) directly into cacerts, and in certain applications which use java, this causes secure LDAP to work.

In programs that use java and fail, when the Root certificate is imported I receive the error:

[Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed]

If I import the LDAPS certificate sometimes I receive the error:

[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints]

(even after commenting out java.security)

OR it starts working depending on the program using JRE; however, the common hurdle is that JRE universally doesn't seem to like the certificate chain based on the errors.

MY CDP/AIA are available by HTTP internally and all certificates are signed by a trusted private internal 2 tier Windows PKI.

openssl s_client -connect -showcerts domain:port

Returns the correct certificate chain, but also the error:

verify error:num=20:unable to get local issuer certificate

Which is evidently related to openssl not seeing the root certificate so even with -cafile addendum I get the same error, which may be telling, but the thumbprint in the certificate chain for the root Cert is the same as the -cafile so it would seem it should be right...

At this point I'm starting to think that 70% of all "How-to enable LDAPS with Java" are wrong (they all certainly contradict each-other enough), and that the rules for JAVA CAPS make more sense for why I'm being required to import the actual LDAPS cert rather than just trusting the Root Cert. https://docs.oracle.com/cd/E19509-01/820-3399/ggfrj/index.html

Edit: See answer

So does it sound like a configuration problem with my certificate or does it sound like something else Java specific is going on?

Phatmandrake
  • 91
  • 9
  • verify the rootCA is imported into cacerts using the instructions in https://docs.microsoft.com/en-us/azure/java-add-certificate-ca-store or in https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html – natxo asenjo Mar 23 '18 at 20:04

1 Answers1

5

Turns out I did everything technically correct in terms of setting up the PKI. The errors were because my certificates were signed with RSASSA-PSS. Java 1.8 doesn't support PKCS #1 v2.1.

I had to regenerate the entire certificate chain from from Root to Issuing CA. This required editing CAPolicy.inf

AlternateSignatureAlgorithm=1 to 0

Also the cmd line certutil -setreg ca\csp\alternatesignaturealgorithm 0

Needed to be manually specified as well.

It seemed like a certificate issue, but I never thought that signing compatibility would be the issue. Lesson Learned.

Related Issue: Microsoft Certificate Authority Provider Compatibilty

Related Sources: https://pkisolutions.com/pkcs1v2-1rsassa-pss/

Phatmandrake
  • 91
  • 9