000016493 - How to obtain and install the Windows rootCA certificate from a domain controller to use for LDAPS and secure the identity source over port 636 with RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016493
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  7.1, 3.0
Platform:  External identity sources running on Windows 2008, 2003 using Microsoft Certificate Manager signing authority.
IssueThere is no documentation on how to obtain the rootCA.cer from an Active Directory domain controller to use for secure https against an Active Directory identity source via port 636
  1. Log in DIRECTLY to the domain controller.  Do not browse to it.  Either RDP to the server or login directly from a monitor/keyboard on the domain controller.
  2. Using IE, browse to https://localhost:636.
  3. You will be allowed to view the local certificate when it is presented.
  4. Select the rootCA certificate and save it using 509 encoded type.   Using the rootCA is highly desirable because the length of validity of the cert.  A host cert issued from the Microsoft certificate authority typically expires in one year which requires an update annually.
  5. In the Operations Console, select Deployment Configuration Certificates > Identity Source Certificates >Add New >Add New Certificate.
  6. Add a certificate name.
  7. Browse to the downloaded rootCA certificate saved during steps 1 through 4.
  8. Click Save.
  9. You may now use ldaps://<fqdn of domain controller>:636 for your identity source URL.
Legacy Article IDa53731