Enabling TLS for Active Directory Connection

The following describes how to optionally enable TLS for the Active Directory (AD) connection.

Step 1 - Set up Authentication Key Binding 

To enable TLS for the Active Directory connection, an authentication key binding is required to establish trust. The key binding needs to be bound to the Issuing CA certificate. For instructions, see Setting up a Remote Authenticator.

Step 2 - Enrolling TLS Certificate to your AD's Local Store

Following the MS Auto-enrollment setup of EJBCA, your Active Directory will should have a computer certificate enrolled through EJBCA. This certificate may be used as server certificate for the LDAPS connection, though a separate certificate can be enrolled for this purpose as well. Whichever certificate is used, it has to fulfill the following criteria:

• LDAPS certificate is located in the Local Computer's Personal certificate store.

• The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) OID.

• The Active Directory fully qualified domain name of the domain controller must exist as DNS Name in the Subject Alternative Name extension (this can be achieved by enrolling using a Certificate Template with "DNS name included as alternative name")

Step 3 - Enable TLS Settings in EJBCA

As the final step, enable the TLS connection:

1. In EJBCA, select AutoEnrollment Configuration.
   
2. Specify the following:
   
   • Select Use SSL.
   • Select the Authentication Key Binding created in Step 1 - Set up Authentication Key Binding.
   • Change Active Directory Port to the TLS port of your AD. The default port is 636.
3. Click Save and then click Test Connection to confirm the connection.