Obtaining a certificate used to trust the LDAP server

To create an LDAP connection, you must identify the certificate used to trust the connection between the Application Server and the LDAP server. The certificate should reside in the Application Server's trust store.

The certificate in the trust store should be the issuing certificate for the LDAP server's certificate. If the LDAP server is provisioned with a certificate chain, the certificate that you import should be the issuing certificate for the top of the certificate chain.

You can obtain the certificate from a CA, or you can use the blcred utility to retrieve the LDAP server's certificate and store it in file form. When setting up the LDAP connection, you can choose the file obtained from a CA or the file generated by blcred.

Using the blcred utility, run the following command to import a certificate:

 blcred -x certStore.pem cert -add -host <LDAPServer>:389 -protocol ldap

Note

If you specify the host name as an IPv6 address, enclose the IPv6 address in square brackets. For example, [2001:db8::1:2].

For an IPv6 address, if you run the command through the Network Shell (NSH), enclose the server:port string in double quotes. For example, "[2001:db8::1:2]:389".

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*