12-08-2021 08:36 AM
Hi Experts,
We've Cisco ASA with SFR modules being managed by FMC. Currently, we're using LDAP server as 'domain.com' which resolves to multiple AD servers and the port used is TCP/389.
We've been asked to change it to secure LDAP-TCP/636 and in this case, not sure which cert of the AD server to be uploaded into FMC as this resolves to multiple AD servers.
Can someone please assist? Thanks in advance.
12-08-2021 08:39 AM
Hi @Srinivasan Nagarajan you'll need to upload the root and intermediate root certificates to the FMC in order to trust the AD server's identity certificate.
12-08-2021 08:53 AM
Thanks @Rob Ingram
We've configured 'domain.com' in the primary server config which is resolving to multiple AD servers. So, in this case, should we need to upload the wildcard cert of this Root AD server?
Also, as given here, it shows the Root cert of the AD server to be uploaded. Can you please suggest where to upload the intermediate and identity cert of the server?
12-08-2021 09:04 AM
@Srinivasan Nagarajan see section 5 of that guide, step 2.
Step 2. Upload the certificate of the CA who signed the server's certificate. The certificate must be in PEM format.
So export the root certificate of the certificate that signed the server's certificate and import in step 2.
12-08-2021 09:13 AM - edited 12-08-2021 09:23 AM
Thanks a lot @Rob Ingram for taking your time in replying to this.
Should only the Root CA cert will suffice or we need to add the Intermediate and Identity certs? if yes, can you please suggest where to get this uploaded into FMC as step5 only says for Root certs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide