Subscribe to PortalGuard's Quarterly Newsletter for News & Updates on the Latest Release! Click to Subscribe

How to Enable LDAPS for PortalGuard Using a Self-Signed Certificate


Problem

You do not have an internal CA to use for enabling LDAPS to your Active Directory DC and would like to create a Self-Signed cert to use for LDAPS between PortalGuard and AD.

Solution

Use Open SSL to create the necessary certificate and install it in the appropriate certificate stores on both machines. 

References:

  1. Navigate to the PortalGuard server and locate the PortalGuard Install kit that was used to install PortalGuard.
  2. Open the 'ADDINS' folder
    • In older versions of the install kit, this was folder was named '_Optional'
  3. Locate the following two files:
    • openssl.cnf
    • openssl.exe
  4. Copy both files to your '\Program Files\PistolStar\PortalGuard' directory - this will help ensure all PortalGuard-related files are located in the same place.
  5. Open an elevated CMD and CD to the above directory. 
  6. Use the following Command to generate a self-signed certificate via Open SSL:
    • openssl req -x509 -days 3650 -newkey rsa:2048 -keyout <AD_ServerName>.pem -out <AD_ServerName>.pem -config ./openssl.cnf
      • IMPORTANT NOTE: Be sure to replace the <AD_ServerName> placeholders with a new value representing the AD DC - also be sure NOT to include the angle brackets in the final command
    • Follow the on screen prompts to fill in the certificate information.
      • IMPORTANT NOTE: Make sure that the common name value for the self-signed certificate should be the server name used to access the DC.
  7. Use the following command to create the PFX file via Open SSL:
    • openssl.exe pkcs12 -export -in <AD_ServerName>.pem -out <AD_ServerName>.pfx
      • IMPORTANT NOTE: Be sure to replace the <AD_ServerName> placeholders with a new value representing the AD DC - also be sure NOT to include the angle brackets in the final command
  8. Use the following command to create the CER file via Open SSL:
    • openssl x509 -outform PEM -in <AD_ServerName>.pem -out <AD_ServerName>.cer
      • IMPORTANT NOTE: Be sure to replace the <AD_ServerName> placeholders with a new value representing the AD DC - also be sure NOT to include the angle brackets in the final command
  9. Import the PFX file into the personal cert store on the AD server for the local computer.
  10. Import the CER file into the Trusted Root Certification Authorities on the PG Server AND the AD server for the local computer.

REV. 05/2019 | PortalGuard

  • 102
  • 02-May-2019
  • 142 Views