Skip to content

Distributing Intermediate Certificates using an LDAP Directory

Reflection SSL/TLS and Secure Shell connections can be configured to authenticate hosts using digital certificates. Depending on how you have configured the Reflection Certificate Manager, Reflection may use certificates in just the Reflection store or in both the Windows and Reflection stores. The Windows store holds intermediate as well as trusted root certificates. The Reflection store holds trusted root certificates only. Reflection can also be configured to locate intermediate certificates from an LDAP server.

To configure Reflection to locate intermediate certificates stored in an LDAP directory, use the LDAP tab of the Reflection Certificate Manager to identify the LDAP server (or servers).

Configuring the LDAP server

Reflection can locate a certificate in the LDAP directory only if the LDAP distinguished name (DN) exactly matches the contents of the Subject field in the certificate. For example, if the Subject field of the certificate displays the following objects:

  • CN = Some CA

  • O = Acme

  • C = US

The DN of the entry in the LDAP directory must be exactly: "CN = Some CA, O=Acme, C = US".

The attributes of the LDAP entry identified by this DN must include one of the following. (Reflection looks for these attributes in order from top to bottom.)

Attribute OID (Object Identifier)
userCertificate;binary 2.5.4.36
cACertificate;binary 2.5.4.37
userCertificate 2.5.4.36
cACertificate 2.5.4.37
mosaicKMandSigCertificate 2.16.840.1.101.2.1.5.5
sdnsKMandSigCertificate 2.16.840.1.101.2.1.5.3
fortezzaKMandSigCertificate 2.16.840.1.101.2.1.5.5
crossCertificatePair;binary 2.5.4.40
crossCertificatePair 2.5.4.40