Configuring NAM to use a custom LDAP SSL certificate

The SSL socket factory includes a Trust Manager that ignores certificates by default. You can configure it to validate LDAP server certificates.

Using a text editor, open the LDAP configuration file at:

Change the LDAP configuration property ldap.performServerCertificateValidation=false to true .

Get the certificate from the LDAP server.

Run the command:
$ openssl s_client -showcerts -connect <ldapserver>

The output will contain a number of entries, delimited with




Copy the last certificate entry into a file named ldapca.crt.

Use these commands to add it to the Java keystore on the server's <JRE_Home>/lib/security:

Run command:
$ cd $JRE_HOME/lib/security

Run command:
$ keytool -import -alias ldapca_self_sign -keystore cacerts -storepass changeit -file ldapca.crt