How to get OpenSSL to recognise an Active Directory CA


This is a How To get OpenSSL to recognize an Microsoft Active Directory CA [1]

Obtain the CA Certificate from AD#

On your Certificate Authority, export AD's public key.
  1. . Click Start -> Administrative Tools -> Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.
  2. . Highlight the CA machine and right-click to select Properties for the CA.
  3. . From General menu, click View Certificate.
  4. . Select the Details view, and click the Copy to File... button on the lower right corner of the window.
  5. . Use the Certificate Export Wizard to save the CA certificate in a file. Note: Save the CA certificate in Base 64 Encoded Binary X-509 format.

Transfer this file to the (linux) client.#

You can just rename the file to .pem, since .pem just means "base 64 encoded x509 data"

If you don't have access to your forest's CA, you can still pull individual certificates directly over the network.

This script[2] will obtain a Certificate from Server:

# usage: retrieve-cert.sh remote.host.name [port]

openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
You’ll typically have to press Ctrl+C to close the script, since the remote server is probably waiting for some sort of input.

You might point this at a domain controller on port 636 (LDAPS://) to download a certificate.

Locate your certs directory#

Info about what certificate authorities your system trusts are located in different places depending on the distribution. You can always locate it with the command:
   openssl version -a | grep OPENSSLDIR
Place the Certificate from your Windows machine in this directory.

Link the CA Certificate#

OpenSSL computes a hash of the certificate in each file, and then uses that hash to quickly locate the proper certificate. You can determine the hash (say for the file unityCA.cer.pem) with a command like:
   openssl x509 -noout -hash -in unityCA.cer.pem
It is possible for more than one cerficate to have the same hash value. In such a case, a suffix of .0 to .9 is appended to make a unique link.

Here's a script[2] will create the proper links for OpenSSL to use your new certificate file.

# usage: certlink.sh filename [filename ...]

for CERTFILE in $*; do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  test -n "$HASH" || continue

  # use lowest available iterator for symlink
  for ITER in 0 1 2 3 4 5 6 7 8 9; do
    test -f "${HASH}.${ITER}" && continue
    ln -s "$CERTFILE" "${HASH}.${ITER}"
    test -L "${HASH}.${ITER}" && break

Testing with OpenLDAP#

Configure your /etc/openldap/ldap.conf file with the info about locating your DA, and how to locate your certificates. In this example, the DC is dc00.unity.ad.ncsu.edu and the OpenSSL cerificates directory is /etc/pki/tls/certs

Note: be careful! On many distributions, there is also an /etc/ldap.conf, which controls the nss (name switch service) and pam (pluggable authentication modules). Unless you're using Winbind to login to your unix machine with AD accounts and passwords, this is likely to not be the file you want to disturb. :-)

# /etc/openldap/ldap.conf
    uri ldaps://dc00.unity.ad.ncsu.edu
    base dc=unity,dc=ad,dc=ncsu,dc=edu
    tls_cacertdir /etc/pki/tls/certs
    ssl on
Microsoft Active Directory Windows 2000 does not support TLS encryption, so you must use ssl on port 636.

Basic testing instructions and more background can be found at Microsoft Solution Guide for Windows Security and Directory Services for UNIX [1]

You can test basic anonymous reads with:

ldapsearch -x -s base -b "" "(objectclass=*)"
-x indicates a "simple bind" rather than SASL. Use -D and -W to specifiy dn and password if you wish.
-s base indicates a "base" ldap search, rather than "sub" or "one"
-b "" indicates the search base, null means root of ldap tree.
-h dc00.unity.ad.ncsu.edu indicates what host to query

By default, the Microsoft Active Directory does not allow Anonymous operations on the LDAP directory. However, the ldapsearch –x –s base –b "" "(objectclass=*)" command searches the rootDSE, and this anonymous operation is permitted.

More Information#

There might be more information for this subject on one of the following: ...nobody