Does connecting over SSL i.e. LDAPS to CA Directory requires a Client Certificate ?
e.g. Peoplesoft application is connecting to CA Directory over LDAPS i.e. ldaps://dir.abc.com:636/
Does Peoplesoft requires the Public Key, Intermediate Cert or Root Cert or may be all 3 of them at their end to be able to communicate over LDAPS to CA Directory ?
Or it would be able to communicate without the Cert and just the right SSL port needs to be defined at the application end ?
Ideally you just need to trust the Root CA which issued the SSL Certificate to be able to run CA Directory on SSL mode. If there is a Root CA Certificate Chain, then we would need the intermediate CA and Root CA. In either case the actual Public Certificate which is used to enable SSL on CA Directory is not needed at the Client end (Client = PeopleSoft OR LDAP Browser).
You can first test the same using an LDAP Browser.
How to Encrypt Communications between a LDAP Browser and the Directory - CA Directory - 14.0 - CA Technologies Documenta…
Thanks Hubert HubertDennis.
That is what I also observed, when we recently renewed the SSL certificate for our CA Directory.
(SSL Cert renewed for LB VIP sitting in front of CA Dir).
Since all the applications already had the 'root + intermediate' Certificate in their key-stores from the older Cert, they were able to connect to our CA Dir even without updating the renewed Public Cert at their end.
I just wanted to be sure of this concept before we push the renewed certificate deployment in Prod.
Thanks for clarifying the same and do let me know in case I misunderstood you.
The understanding is correct. As long as the new Public Certificate is signed by the same Root CA OR Intermediate CA; clients (LDAP Browser OR Apps) need not update anything on their end.
Here is a good article.
Everything you ever wanted to know about SSL (but were afraid to ask) - The Boy Wonders
Thank you, HubertDennis