Specifications
Deployment Best Practices Secure LDAP Certificate Requirements for Active Directory Domain Controllers
A
ShoreTel Mobility Router Administration Guide 311
Secure LDAP Certificate Requirements for Active
Directory Domain Controllers
When an enterprise has a multi-tier (such as a two-tier or three-tier) CA hierarchy, the enterprise may
not automatically have the appropriate certificate for LDAPS authentication on the domain controller. In
order to enable Secure LDAP in a multi-tier CA hierarchy, request a certificate that meets the following
requirements:
The Certificate must be valid for the purpose of Server Authentication. This means that it must also
contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
The Subject name, or the first name in the Subject Alternative Name (SAN), must match the Fully
Qualified Domain Name (FQDN) of the host machine, such as Subject: CN= mobility-
MOBILITYDC-CA.mobility.shoretel.com or (DC=com, DC=shoretel, DC=mobility, CN=mobility-
MOBILITYDC-CA). For more information, see How to add a Subject Alternative Name to a secure
LDAP certificate at http://support.microsoft.com/kb/931351.
This Active Directory CA certificate needs to be exported from the Active Directory Server and then
imported to the ShoreTel Mobility Router to complete the Secure LDAP procedure in “Adding a
Directory Server Group” on page 8-79, at Step 21.
To export the CA certificate on the Active Directory server:
1. Log on as either a member of the local Administrator security group for stand-alone computers, or
a member of the Domain Administrator security group for computers that are connected to the
domain.
2. Select Start > Administrative Tools > Certificate Authority to open the CA Microsoft
Management Console (MMC) GUI.
3. Highlight the CA machine then right-click and select Properties for the CA.
4. From the General menu, select View Certificate.
5. Select the Details view, and click the Copy to File… button on the lower right corner of the
window.