LDAPS with AD and JSS running on Windows Server 2008R2

I wish I had the full answer for you, but you are on the right track with Java. We fumbled with this for a while when we moved to 2008 R2 and secure LDAP earlier this year.

I believe we did have to use the keytool to import the certificate and had to be sure to run it as administrator for it to import properly. My contractor who did most of the work is no longer around so I can't provide more details, sorry!

NOTE: I use the above to import our root CA on a w2k8 server's java instance for extensis portfolio.

Thanks for the response. Hopefully it will get us one step closer!

But when I run

keytool -certreq -keystore "<keystore full path>" -keyalg RSA -file certreq.csr -alias <alias name>

It tells me that "The keystore file does not exist" (Since I thought this should be making a new one I tried to make it something new)
Alternatively, if I use an existing file (Called cacert) and a new allias, it tells me that the alias has no key, even though I have uploaded the .cer file to it using keytool already.

Any ideas?
Thanks!

Alrighty! Sorry for the delay but we have LDAPS working in our windows environment. And everyone was very close, if not absolutely correct.

On our Windows Server 2008 R2, we have two folders, a JRE and JDK installations, both having the keytool.exe programs in their BIN folders. Many of the guides online to adding Certificate files to your java cacert key store say to use %JAVA_HOME% for your directory, but this used the JDK and not the JRE folders.

Additionally the default CACERT keystore has a password which should be "changeit" in windows.

Here is the command we ended up running.

"C:Program FilesJavajre7inkeytool" -import -trustcacerts -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -file "C:Program FilesJavajre7libsecuritycert.crt"

In an elevated command prompt.

After which, restarting apache in Control Panel -> Administrator Tools -> Services The website instantly took the certificate and LDAPS started working on ports 636 and 3269!

Thanks for the explanation, wstewart3. This is exactly what I needed to do also. I was initially using the "cacerts" keystore file inside the bin folder, instead of the libsecurity folder. Thanks for posting your solution!

For anyone else trying to get LDAPS working I FINALLY succeeded today, after many failed attempts.

Just in case it's helpful for someone else - here's what worked for me:

1) Stumbled on this site through googling and JAMF Nation trawling. In it was a very valuable link about setting up LDAP over SSL

2) followed the LDAP over SSL link to create a new certificate template (I called mine "Casper Kerberos Authentication" for simplicity)... followed all the first steps from start to finish on my CA, and then on my AD server for the heading Requesting a Certificate for Server Authentication. We have several AD servers in our environment but only use one for Casper AD auth.

3) On the AD server with the mmc certificate snap-in loaded as local computer, I exported the newly enrolled "Casper Kerberos Authentication" certificate as a base64 .cer and copied over to our casper server.

4) @wstewart3's comment of importing the certificate into the JRE cert store worked a treat - specifically: "C:Program FilesJavajre7inkeytool" -import -trustcacerts -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -file "C:path oyour ewcert.cer"

5) Restarted tomcat service on the server and voila was able to authenticate with LDAPS when I did a test.

If like me you had to do a lot of troubleshooting and didn't get the certificate right the first time, you might need to remove it from the Java certificate store before importing another one. The command to do this was:

"C:Program FilesJavajre7inkeytool" -delete -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -storepass changeit - assuming your password is still "changeit"

Hopefully this might help someone out! Thanks for all the previous comments that helped me get this far!