TLS: AD certificate issue between VA and AD

Hi

I am trying to setup TLS connectivity between AD and VA. The AD team generated a self signed certificate. I exported the certificate, without the private key. Deployed the pem file at /home/sailpoint/certificate. TLS connection is failing with this error:

Failed to connect to server:ldap://acmetech.com:636 -
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I did the following:

1. AD team created a self signed certificate on the windows server.
2. They added it in the personal-> certificates folder under the console root.
3. I exported the certificate and converted it to PEM file. (I even ran the openssl command to fetch the public cert and kept that in the certificate folder in a pem file)
4. Deployed it on /home/sailpoint/certificate directory.
5. Restarted ccg.

I referred to this link:

Additional points:

While running the below command from VA, I get an error in the end (return code 21)-
openssl s_client -connect acmetech.com:636

I am getting the public cert, but in the end I am getting this error:
Verify return code: 21 (unable to verify the first certificate)

Any help is appreciated.

Regards
Arshdeep

Hi Arshdeep,

Can you share the result of following command to check the certificate:

openssl -x509 -in <certificate>.pem -text

One more thing to check would be any network communications (Firewall rules) are blocked between VA and AD.

certificate.txt (4.0 KB)

HI @shaileeM

Thanks for your response.
I have attached the output of the command, I have masked some values.

Regards
Arshdeep

You will need to upload the intermediate and root certificates to the VA to make the chain valid.

Alicia

Hi @agutschow
Thanks for your response.

AD team generated a self signed certificate from the UI on the windows server and exported that one without the private key. I was trying to put that cert in the certificate folder on VA.

Is there any other certificate required here?

I understand the concept of root CA and intermediate cert for server certs signed by an actual CA. But in this case, does the AD team need to generate another certificate, when doing with a self signed cert?

Regards
Arshdeep

Hi @arshdeep_thapar,

Full chain of certs you can add and try

You can try openssl s_client -connect :port to see if it’s connected or not

Refer the stackoverflow article to see if it helps

Lastly try regenerating and see if that helps.

Hi @arshdeep_thapar , something that might help.

Support Articles - [IdentityNow] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (sailpoint.com)

Hi @vinnysail

Thanks for your response and thanks for sharing this link.

Kindly help me here. Are intermediate certificates created when generating a self signed cert on a windows server? My thinking was a self signed cert would have a public and a private key. The public key of the cert would be encrypted with the help of the private key. The public key is stored on the client side in pem file. During handshake the server cert (root CA cert i.e. the self signed cert) is exchanged with the client. The client uses the public key (stored in the pem file) to decrypt the signature(encrypted server public key) and verifies the public key of the cert with the public key it has.

Intermediate certificate can be generated for this process to make the self signed cert more secure, which usually the actual CA signed server cert uses.

But i don’t know if the windows server generates both or we need to generate it explicitly for self signed. Kindly help.

Regards
Arshdeep Singh

@amahlemohlokonya thanks for your response.

I have tried this. It didn’t work.
The only thing different I did was to just restart ccg as mentioned in another sailpoint doc, and not the complete VA. I can try that and see.

Regards
Arshdeep Singh

You need the certificate for the DC servers. I believe the openssl command should look something like this : openssl s_client -connect server.acmetech.com:636
If you have multiple servers for the domain you should add all servers certificates on the /home/sailpoint/certificate directory.

Hi @arshdeep_thapar ,

You are missing some certificates in the certificate chain - root CA cert or intermediate certs. Please add them and try.

Thanks,
Shailee

I also have encountered the same issue. May I know if you have solved this issue and have any clue of solving it?

Hi All

Thank you all for your responses. I was able to resolve this one.

Seems AD team was creating a wrong certificate. SAN was wrong. Extended key usage was also incorrect.
I had to create my own AD DC and then connect with a local IIQ (as I didn’t have a local ISC to play with) to confirm my findings and send it over to the AD team.

There is no need to generate the intermediate certificates with self signed certificates. You can generate an intermediate certificate to replicate how actual CA cert works, but its not a necessity.

I used this PS script to generate my certificate on the AD DC:
New-SelfSignedCertificate -DnsName DC01.corp.local -FriendlyName sailpoint_AD -CertStoreLocation cert:\LocalMachine\My

We should confirm the SAN, it should match your AD’s DNS name. This command will deploy the certificate in the personal folder of certificate manager on your windows server. You need to import it in the trusted root certificate folder too (without private key).

Use the exported root CA cert (without private key) and place it on your VA’s /home/sailpoint/certificate location, after converting it to PEM format.
or use this command to fetch the public certificate from the command:

openssl s_client -connect DC01.corp.local:636

and create a .pem file with just the certificate.

Regards
Arshdeep Singh

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.