Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ can't validate cert used with LDAP with CA cert installed

WS2019 DC, TZ350 & TZ400, both are v6.5.4.8-89n. Setting up LDAP auth against the DC.

I used PowerShell to create a self-cert on the DC whose subject is the FQDN of the DC. The TZs can ping the DC by FQDN. Used the FQDN to set up LDAP.

If the "Require valid certificate from server when using TLS" option is disabled, LDAP auth works using TLS.

If "Require valid certificate from server when using TLS" is enabled, LDAP tests fail with this error: "error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)".

I've exported the self-cert to a .CER file and imported on the TZs. In the certificates list, the "Validated" column is empty. I'm guessing that's root cause; how do I get it to validate?

Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Accepted Answer

    @JRVcst do you run your own CA (which you should do) or did you issued a simple self-signed server certificate for your LDAP?

    IMHO the Certificate will only be listed as validated if it got issued by a trusted CA.

    I guess the keyUsage of your cert only covers digitalSignature, nonRepudiation, keyEncipherment, keyAgreement? If it holds Certificate Sign and CRL Sign as well you might import it as CA again.

    --Michael@BWC

  • CORRECT ANSWER
    TKWITSTKWITS All-Knowing Sage ✭✭✭✭
    Accepted Answer

    I have never gotten a self-signed cert from a DC to work for LDAP. The underlying requirements for trusting a self-signed cert aren't available to the Sonicwall. As BWC said you need proper certificate infrastructure in place.

    Certificates are 'Validated' when multiple checks pass (from a trusted CA, cert includes entire certificate chain, the signing request was generated by the sonicwall, etc.).

Answers

  • JRVcstJRVcst Newbie ✭

    No CA here since Windows SBS went away. So if the TZ won't allow the self-cert as a CA cert, that explains it, and we'll just not validate.

    Very small system; a church with 10 users. Agreed, Private CAs are Good Things, and yeah, we should create a PKI. But they're seldom used on systems this tiny. There's a lot of things that should be done in microbusiness IT that aren't done because there's no way to get it done in a few hours per month.

    Since they weren't even using SSL until their DC was migrated from WS2012 to WS2019, they've already taken the biggest leap forward! Encryption without validation will have to suffice for the forseeable future.

    Thanks for the explanation! it's good to understand the reasons why. The only documentation I found--and IIRC it was in a 3rd party blog of unknown veracity--was that the cert had to have the Server Authentication OID, which it does.

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    "There's a lot of things that should be done in microbusiness IT that aren't done because there's no way to get it done in a few hours per month."

    Less about having time to do it, more that the businesses do not see a need to get things done the right way. Societal problems are a discussion for another time...

Sign In or Register to comment.