stackoom
  简体   繁体   中英

LDAP as a Certificate authority

 原文  2023-01-26 05:08:41       ldap/ nginx-reverse-proxy/ certificate-authority

Question

I am working on a system that is a closed.network, that has very limited access to the inte.net. We set up an ngnix docker (config at the bottom) to handle SSL. The system has its own Certificate Authority, so we submitted a Certificate signing request, and got it back from them. When i put the cert and key into ngnix, i got the cert served, however it had an err_cert_authority_invalid See Image. When i look at the CA URI it is and ldap url ldap://{ldap stuff}

I can do an ldap search, with the data from the certs CA URI that will return the cACertificate

The cert has and ldap string as the cert authority which is not something i have worked with before, so i think i have all the things i need, but i am unsure how to put it together.

My best guess is that there is some issue with needing an ldap client installed on the docker running ngnix to resolve the CA? Or is it that i have to use ldap search to get the other certs and install them?

server {
    listen 443 default_server ssl ipv6only=off;
    server_name some.thing.edu;

    ssl_certificate /etc/ssl/certs/sigend.crt;
    ssl_certificate_key /etc/ssl/private/private.key;

    location / {
        proxy_pass         http://app_web;
        proxy_redirect     off;
        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_buffer_size           128k;
        proxy_buffers               4 256k;
        proxy_busy_buffers_size     256k;
    }
}

在此处输入图像描述

1 answers

solution1
 0  2023-01-30 19:34:06

I have worked through this, my mis understanding was that the CA certs need to be on the browser side and not validated on the server side.

However we still had an issue because we were connecting via a VPN and not SSO set up on our machines. We got around this by using an ldap search to pull back the certs, and then install them directly into the key store and trust them.

ldapsearch -x -D $adminDN -w $pass -h $ldapHost -b $base

The base variable was the value of the Certificate Authority ldap uri (without the ldap:// and some un rul encoding)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Certificate revocation list in LDAP Jxplorer certificate for ldap LDAP store SSL certificate LDAP certificate randomly expiring Query LDAP by userCertificate attribute, with certificate Spring security, ssl ldap and no certificate python_ldap | supplying certificate content in variable Secure LDAP - validating certificate using thumbprint in java how to get ssl certificate for ldap/Active directory Apache client certificate authentication with LDAP authorization
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM