Distributing Intermediate Certificates using an LDAP Directory

Reflection SSL/TLS and Secure Shell connections can be configured to authenticate hosts using digital certificates An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted. . Depending on how you have configured the Reflection Certificate Manager, Reflection may use certificates in just the Reflection store or in both the Windows and Reflection stores. The Windows store holds intermediate as well as trusted root certificates. The Reflection store holds trusted root certificates only. Reflection can also be configured to locate intermediate certificates from an LDAP server.

To configure Reflection to locate intermediate certificates stored in an LDAP directory, use the LDAP tab of the Reflection Certificate Manager to identify the LDAP server (or servers).

Configuring the LDAP server

Reflection can locate a certificate in the LDAP directory only if the LDAP distinguished name (DN) exactly matches the contents of the Subject field in the certificate. For example, if the Subject field of the certificate displays the following objects:

  • CN = Some CA

  • O = Acme

  • C = US

The DN of the entry in the LDAP directory must be exactly: "CN = Some CA, O=Acme, C = US".

The attributes of the LDAP entry identified by this DN must include one of the following. (Reflection looks for these attributes in order from top to bottom.)

Attribute

OID (Object Identifier)

userCertificate;binary

2.5.4.36

cACertificate;binary

2.5.4.37

userCertificate

2.5.4.36

cACertificate

2.5.4.37

mosaicKMandSigCertificate

2.16.840.1.101.2.1.5.5

sdnsKMandSigCertificate

2.16.840.1.101.2.1.5.3

fortezzaKMandSigCertificate

2.16.840.1.101.2.1.5.5

crossCertificatePair;binary

2.5.4.40

crossCertificatePair

2.5.4.40