Securing communications with an LDAP server

You can configure Transport Layer Security (TLS) to encrypt communications between the SafeLinx Server and an LDAP server.

About this task

To support a TLS connection with an LDAP server, you must store the LDAP server's root signer certificate in a PKCS12 keystore file on the SafeLinx Server. Use a key management tool like OpenSSL to add the certificate to the SafeLinx PKCS12 keyring file. You can use an existing PKCS12 keystore file , such as the one that is used by HTTP access services (sl-default.p12), or you can create your own PKCS12 keystore file. After you save the signer certificate, use the SafeLinx Administrator to specify the names of the PKCS12 keystore file and password files in the directory service properties pages.

In some cases, you can use a web browser, such as Mozilla Firefox, to retrieve the signer certificate for the LDAP server. This method is documented in the procedure that follows. If the browser method is unsuccessful, ask the LDAP administrator to extract the certificate and return it to you in a certificate file in .der format.


  1. To use Mozilla Firefox to retrieve a signer certificate for the LDAP server, specify type the address of the LDAP server in the location bar, with an https prefix.
    For example, type:
    The following message displays:

    This Connection is Untrusted.

  2. Click I Understand the Risks, and then click Add Exception...
    The certificate is saved automatically to the browser's Certificate Manager.
  3. Open the Firefox menu, click Options and search for View Certificates.
  4. Click View Certificates, and in the Certificates Manager click the Servers tab.
  5. Click the certificate and then click Export...
  6. In the Save Certificate to File window, browse to the directory where you want to save the file, click X.509 Certificate (DER) (*.der) in the Save as type field, and then click Save.
    If the file name is not equal to the fully qualified host name of the server, rename the file.
    For example, save the file as
  7. Transfer a copy of the file to the SafeLinx Server.

What to do next

To complete the TLS configuration, edit the directory service properties to enable the use of secure connections and to specify the PKCS12 keystore file and file password.