We're having a challenge mitigating this, as our LDAP servers are signed by our internal CA, not by one of the public CAs in the " Default Trusted Certificate Authorities" list. I don't see any way to add our trusted enterprise CA to that list, only to the "Device Certificates" list, which the LDAP certificate check does not check for CA certs. So it appears there is no way to trust an LDAP server cert based on your own PKI CA cert? We also cannot import the individual LDAP server certificates to the device certificates due to a missing subject field, that's an internal issue -- but in any event, importing the specific LDAP server certificate is a borderline unacceptable solution, as now with every server lifecycle, addition of a new server into the LDAP backend pool etc. we have to manually add and remove certificates on the firewalls and Panorama, instead of simply relying on the trust from our CA, and this pretty much guarantees a service affecting issue down the road.
... View more