Certificate practices using IdP with MS AD LDAP
Daniel Fisher
dfisher at vt.edu
Wed Apr 24 10:04:15 EDT 2013
On Mon, Apr 22, 2013 at 6:29 PM, David Bantz <dabantz at alaska.edu> wrote:
> It must be fairly common for IdP deployments to depend upon LDAP from AD
> component of a Domain Controller. I am inquiring about strategies for
> this dependency - specifically, the use of X.509 certificates for
> establishing encrypted communications between the IdP and AD LDAP.
>
> We're exploring a number of options in response to our Windows Server
> group recently determining they will exclusively use the internal Microsoft
> certificate generator and private CA for use within the Domain. I am
> soliciting the experience of other institutions with similar deployments.
> Do you:
>
>
> b) Import the certificate for the Domain's private CA into an alternate
> location for java trusted CA?
>
>
This is my preferred solution. I like the trust dependencies to be declared
in the configuration, even for certificates that would otherwise be trusted
by default, and stored with the configuration. Storing certificate
dependencies in cacerts invites problems associated with JVM upgrade and
certificate expiration.
> In either case, how do you ensure that both the private CA and other
> well-known CAs have up-to-date certificates in that store?
>
CA expiration is typically greater than five years, and those transitions
should be well communicated and planned.
--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130424/564a79ba/attachment-0001.html
More information about the users
mailing list