Skip to main content
Skip table of contents

Active Directory Publisher

EJBCA can publish certificates and Certificate Revocation Lists (CRLs) to Microsoft Active Directory (AD) using LDAP. This enables integration with AD-based applications and services that rely on certificates stored in directory objects, such as user accounts and Public Key Services containers.

This describes how to configure the Active Directory publisher in EJBCA.

Publish to Active Directory 

When configuring Active Directory LDAP, the Bind DN for the users is usually:

CODE 
cn=user,cn=Users,dc=domain-component1,dc=domain-component2

For example for the domain keyfactor.com:

CODE 
cn=User Usersson,cn=Users,dc=keyfactor,dc=com

Base DN configuration

If your DN and your base DN are like the following examples:

DN

CODE 
cn=Ejbca1,0=MyOrg,c=SE

Base DN

CODE 
DC=Security,DC=Software,DC=MyOrg

Then the publisher for AD should have a base DN like the following example: 

CODE 
cn=Users,dc=Security,dc=Software,dc=MyOrg

Login DN

For Login DN, use the full LDAP name, for example: 

CODE 
CN=Administrator,CN=Users,dc=keyfactor,dc=se

To connect to AD though SSL, issue an LDAP SSL P12 to the domain controller.

The same certificate is used for both the AD and global catalogue (GC). Remember to add the CA certificate to the machine that stores trusted root certificates.

Publish CRLs to Active Directory

To publish a CRL to Active Directory, use a Base DN similar to:

BASH 
CN=somename,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=somemachine,DC=keyfactor,DC=se

The CRL Distribution Point in the certificate should point to:

CODE 
ldap:///CN=Test%20MS%20SC%20Logon%20CA%20v1,CN=somename,CN=CDP,CN=Public%20Key%20Services,CN=Services,
CN=Configuration,DC=somemachine,DC=keyfactor,DC=se?certificateRevocationList?base?objectClass=cRLDistributionPoint

Using LDAPs

To use LDAPs (LDAP over TLS) when publishing to AD, do the following:

  1. Configure your publisher in EJBCA to use TLS by checking the TLS Connection option, changing the port to port 636.

  2. Since using the LDAP library, the CA certificate of the (root) CA used to sign the AD server certificate must be present in the java certificate trust store ($JAVA_HOME/jre/lib/security/cacerts).
    Add a CA certificate to the java trust store using the following command:

    CODE 
    keytool -import -trustcacert -alias MyCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file myca.der
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close