-2

I have concerns about the operational burden of uploading certificates for each of 20 domain controllers for each domain into each client (20 DCs x 3 domains x 4 clients = 240 SSL certificate imports).

This initial configuration is not a one time concern because certificates periodically expire and if client is not updated when that occurs, it will be difficult to determine which certificate hasn’t been updated on which client. Instead of updating one certificate per domain controller per domain per client, i am expecting that i would be able to set up the certificate authority as a trusted certificate authority, or upload an intermediate certificate for each client . Under that configuration, the client would only maintain that one trusted certificate authority and would validate all the LDAP and AD certificates through certificate chaining.

Does LDAP client require a copy of all certificates in the chain in order to validate a leaf certificate?

Would the existence of the full cert chain eliminate the need to import the leaf certificates from each domain controller into client?

user207421
  • 305,947
  • 44
  • 307
  • 483
mahesh kohinkar
  • 23
  • 7

2 Answers2

1

Any SSL client needs one trusted certificate that matches any one certificate in the chain sent by the server. This is not specific to LDAP in any way.

user207421
  • 305,947
  • 44
  • 307
  • 483
0

You could use Group Policy to distribute the trust chain to your clients so you don't need to manage it by hand.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11