Skip to main content
Skip table of contents

Enabling TLS for Active Directory Connection

The following describes how to optionally enable TLS for the Active Directory (AD) connection.

Step 1 - Set up Authentication Key Binding 

To enable TLS for the Active Directory connection, an authentication key binding is required to establish trust. The key binding needs to be bound to the Issuing CA certificate. For instructions, see Setting up a Remote Authenticator.

Step 2 - Enrolling TLS Certificate to your AD's Local Store

Following the MS Auto-enrollment setup of EJBCA, your Active Directory will should have a computer certificate enrolled through EJBCA. This certificate may be used as server certificate for the LDAPS connection, though a separate certificate can be enrolled for this purpose as well. Whichever certificate is used, it has to fulfill the following criteria:

  • LDAPS certificate is located in the Local Computer's Personal certificate store.

  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) OID.

  • The Active Directory fully qualified domain name of the domain controller must exist as DNS Name in the Subject Alternative Name extension (this can be achieved by enrolling using a Certificate Template with "DNS name included as alternative name")

Step 3 - Enable TLS Settings in EJBCA

As the final step, enable the TLS connection:

  1. In EJBCA, select AutoEnrollment Configuration.
  2. Specify the following:
  3. Click Save and then click Test Connection to confirm the connection.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.