LDAP Profile Verify Server Certificate for SSL

DawgsFan · ‎07-13-2020

This option is selected if the firewall wants to verify the directory server before SSL/TLS communication is started.

For additional resources regarding BPA, visit our LIVEcommunity BPA tool page.

View videos regarding BPA Network best practice checks.

View videos regarding BPA Policies best practice checks.

View videos regarding BPA Objects best practice checks.

View videos regarding BPA Device best practice checks.

You may also view other BPA video playlist on the LIVEcommunity YouTube channel.

Toivo · ‎06-14-2021

We're having a challenge mitigating this, as our LDAP servers are signed by our internal CA, not by one of the public CAs in the "Default Trusted Certificate Authorities" list. I don't see any way to add our trusted enterprise CA to that list, only to the "Device Certificates" list, which the LDAP certificate check does not check for CA certs. So it appears there is no way to trust an LDAP server cert based on your own PKI CA cert?

We also cannot import the individual LDAP server certificates to the device certificates due to a missing subject field, that's an internal issue -- but in any event, importing the specific LDAP server certificate is a borderline unacceptable solution, as now with every server lifecycle, addition of a new server into the LDAP backend pool etc. we have to manually add and remove certificates on the firewalls and Panorama, instead of simply relying on the trust from our CA, and this pretty much guarantees a service affecting issue down the road.

almargaris · ‎06-14-2021

@Toivo Hello, are you referring to a particular Best Practice check or is this a separate issue? If this is not related to the Best Practice Assessment, please create a support ticket and it will be addressed. Thanks.

Unlock your full community experience!

LDAP Profile Verify Server Certificate for SSL

LDAP Profile Verify Server Certificate for SSL