LDAP Profile Verify Server Certificate for SSL
This option is selected if the firewall wants to verify the directory server before SSL/TLS communication is started.
We're having a challenge mitigating this, as our LDAP servers are signed by our internal CA, not by one of the public CAs in the "Default Trusted Certificate Authorities" list. I don't see any way to add our trusted enterprise CA to that list, only to the "Device Certificates" list, which the LDAP certificate check does not check for CA certs. So it appears there is no way to trust an LDAP server cert based on your own PKI CA cert?
We also cannot import the individual LDAP server certificates to the device certificates due to a missing subject field, that's an internal issue -- but in any event, importing the specific LDAP server certificate is a borderline unacceptable solution, as now with every server lifecycle, addition of a new server into the LDAP backend pool etc. we have to manually add and remove certificates on the firewalls and Panorama, instead of simply relying on the trust from our CA, and this pretty much guarantees a service affecting issue down the road.
@ToivoVoll Hello, are you referring to a particular Best Practice check or is this a separate issue? If this is not related to the Best Practice Assessment, please create a support ticket and it will be addressed. Thanks.