cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2403
Views
0
Helpful
3
Replies

Cisco duo ldaps certificate

Hello,

Can someone explain me how to generate the right type of certificate to use ldaps connection between AD and DUO proxy ?
I have SSL install on my Windows.

Cause i have tried multiples solutions, but each time, I get this error message in my proxy log folder like "There was a problem with the TLS cert. Verify the correct CA certificate was specified"

Do I have to export the certif with the private key ?

Best,

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

Are you trying to use LDAPS in the ad_client config for the Duo Authentication Proxy to perform primary auth against your AD domain controller?

For this the Duo proxy server DOES not need the private key, so do not export it or specify it in the config.

An AD domain controller will accept LDAPS connections when it is configured with an SSL certificate, either self-signed or issued by a CA.

These are Microsoft's instructions for enabling LDAPS with a third-party cert: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

If the domain controller cert is issued by a third-party or enterprise CA, Duo Authentication Proxy does not need you to copy the DC's issued cert or the DC's issued cert's private key to the proxy. When the Duo Authentication proxy makes the LDAPS connection to the domain controller, it needs to verify the SSL certificate sent by the domain controller in the server HELLO against a known CA certificate or certificate chain. This CA certificate or certificate chain is what you need to copy to your Duo proxy server and specify as the value of ssl_ca_certs_file in the ad_client section of authproxy.cfg,

The only time you would copy the domain controller's actual issued cert to the Duo proxy to use as ssl_ca_certs_file is if the domain controller is using a self-signed certificate. Self-signed certificates do have a specific key usage requirement to be used with Duo. The self-signed certificate's key usage should include "Certificate Signing", which is mentioned in the ad_client configuration description in the Duo Authentication Proxy documentation.

Additionally, as of Authentication Proxy version 6.0.2 any SSL certificate issued to your domain controller must use SHA-256.

"If you use a self-signed certificate to secure LDAPS communications to your directory server,  Starting with Authentication Proxy version 6.0.0, the self-signed certificate issued to the domain controller or directory server must use SHA256 or greater."

The error you mentioned "There was a problem with the TLS cert. Verify the correct CA certificate was specified" sounds like whatever you specified for ssl_ca_certs_file does not actually contain the correct issuer information for the certificate used by your domain controller for SSL/LDAPS.

Here is the full description of ssl_ca_certs_file from the Authentication Proxy reference:

Path to a file containing the CA certificate(s) to be used to validate SSL/TLS connections to your Active Directory server. If you enable SSL/TLS connections to your Active Directory or LDAP server, you should specify a value for this option. Certificates should be PEM-formatted.

By default, no certificate validation will be performed, which significantly compromises the security properties offered by SSL/TLS.

In order to secure LDAP connections to your directory server using LDAPS or STARTTLS protocols, you'll need the PEM formatted certificate of the certificate authority (CA) that issued your AD domain controller's or LDAP directory server's SSL certificate.

To obtain the PEM formatted version of an AD domain controller certificate's issuing CA certificate, view the "Certification Path" tab of the DC's certificate properties and double-click the issuing certificate to view it. Export the issuing CA certificate as a Base-64 encoded X.509 (CER) format.

If you have intermediate CAs in your certificate issuer chain, export all the certs (such as the root CA and the intermediate CA) in the certification path as CER files and then combine them into one file using a text editor.

If you use a self-signed certificate to secure LDAPS communications to your directory server, the certificate's key usage should include "Certificate Signing". Starting with Authentication Proxy version 6.0.0, the self-signed certificate issued to the domain controller or directory server must use SHA256 or greater.

Duo, not DUO.

View solution in original post

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

Are you trying to use LDAPS in the ad_client config for the Duo Authentication Proxy to perform primary auth against your AD domain controller?

For this the Duo proxy server DOES not need the private key, so do not export it or specify it in the config.

An AD domain controller will accept LDAPS connections when it is configured with an SSL certificate, either self-signed or issued by a CA.

These are Microsoft's instructions for enabling LDAPS with a third-party cert: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

If the domain controller cert is issued by a third-party or enterprise CA, Duo Authentication Proxy does not need you to copy the DC's issued cert or the DC's issued cert's private key to the proxy. When the Duo Authentication proxy makes the LDAPS connection to the domain controller, it needs to verify the SSL certificate sent by the domain controller in the server HELLO against a known CA certificate or certificate chain. This CA certificate or certificate chain is what you need to copy to your Duo proxy server and specify as the value of ssl_ca_certs_file in the ad_client section of authproxy.cfg,

The only time you would copy the domain controller's actual issued cert to the Duo proxy to use as ssl_ca_certs_file is if the domain controller is using a self-signed certificate. Self-signed certificates do have a specific key usage requirement to be used with Duo. The self-signed certificate's key usage should include "Certificate Signing", which is mentioned in the ad_client configuration description in the Duo Authentication Proxy documentation.

Additionally, as of Authentication Proxy version 6.0.2 any SSL certificate issued to your domain controller must use SHA-256.

"If you use a self-signed certificate to secure LDAPS communications to your directory server,  Starting with Authentication Proxy version 6.0.0, the self-signed certificate issued to the domain controller or directory server must use SHA256 or greater."

The error you mentioned "There was a problem with the TLS cert. Verify the correct CA certificate was specified" sounds like whatever you specified for ssl_ca_certs_file does not actually contain the correct issuer information for the certificate used by your domain controller for SSL/LDAPS.

Here is the full description of ssl_ca_certs_file from the Authentication Proxy reference:

Path to a file containing the CA certificate(s) to be used to validate SSL/TLS connections to your Active Directory server. If you enable SSL/TLS connections to your Active Directory or LDAP server, you should specify a value for this option. Certificates should be PEM-formatted.

By default, no certificate validation will be performed, which significantly compromises the security properties offered by SSL/TLS.

In order to secure LDAP connections to your directory server using LDAPS or STARTTLS protocols, you'll need the PEM formatted certificate of the certificate authority (CA) that issued your AD domain controller's or LDAP directory server's SSL certificate.

To obtain the PEM formatted version of an AD domain controller certificate's issuing CA certificate, view the "Certification Path" tab of the DC's certificate properties and double-click the issuing certificate to view it. Export the issuing CA certificate as a Base-64 encoded X.509 (CER) format.

If you have intermediate CAs in your certificate issuer chain, export all the certs (such as the root CA and the intermediate CA) in the certification path as CER files and then combine them into one file using a text editor.

If you use a self-signed certificate to secure LDAPS communications to your directory server, the certificate's key usage should include "Certificate Signing". Starting with Authentication Proxy version 6.0.0, the self-signed certificate issued to the domain controller or directory server must use SHA256 or greater.

Duo, not DUO.

I finaly mounted a root CA and a intermediate CA to solve my problem...

But i will try another time to generate a certificate by command.

Thank you for these informations.

withdrawn

Quick Links