Exporting Active Directory certificate and importing it to WSO2 IS client-truststore

When using a Read-Write Active Directory as a userstore in WSO2 Identity Server, it is required to import the certificate of the Active Directory (AD) to the client-truststore.jks of the Identity Server (IS). This is required because updating users, groups, and membership details in the AD needs to connect to the AD over LDAPS (Secure LDAP / LDAP over SSL). To communicate over LDAPS, a successful SSL connection should be established between the IS and the AD. LDAPS requires a properly formatted certificate installed in your Active Directory Domain Controllers.

In my previous article on “Installing Active Directory Certificate Services (AD CS)”, I walked through the steps to generate an Active Directory Certificate using Active Directory Certificate Services (AD CS). In this article, I will show how to export that generated certificate so that it can be imported to any servers which require LDAPS communication with the AD. I will specifically show the steps to import this certificate to the client-truststore of the WSO2 IS which is required when configuring a read-write Active Directory userstore.

For more information about how to configure a read-write AD userstore in WSO2 IS, please refer this link : https://docs.wso2.com/display/IS560/Configuring+a+Read-Write+Active+Directory+User+Store

Step 1 : Open Certification Authority from Programs menu or by running the command certsrv.msc in Run.

Note : Certification Authority is not available if you have not already installed “Active Directory Domain Services (AD CS). In that case, follow steps in my previous article available in this link to install AD CS.

Step 2 : Right-click on the name of the certification authority, and select Properties.

Step 3 : In the General tab, select the Certificate you want to access and click View Certificate. This will show the Certificate you selected.

Step 4 : In the Details tab, select Copy to File. This will open Certificate Export Wizard.

Step 5 : Click Next.

Step 7 : Select Base-64 encoded binary X.509(.CER) as the Export File Format. Click Next.

Step 8 : Specify a file path and a name for the certificate file. Click Next.

Step 9 : To complete the export, click Finish. A dialog box will appear to inform the export was successful.

Step 10 : Now, the .cer file will be available in the path that you specified during the export. You can import it to the keystore of any client which needs to connect to AD via LDAPS.

To import this certificate to the client-truststore.jks (<IS_HOME>/repository/resources/security/client-truststore.jks), run the following keytool command with correct paths to .cer and client-truststore.jks :

keytool -import -trustcacerts -alias adcert -file CA_CERT.cer -keystore client-truststore.jks -storepass wso2carbon