How to set up LDAPS certificates in the Rublon Authentication Proxy?

Modified on Mon, 7 Oct at 4:22 PM

The Rublon Authentication Proxy serves as a bridge between your Rublon-integrated services and the Rublon Multi-Factor Authentication (MFA) platform. To ensure secure LDAPS communication, the Auth Proxy uses SSL/TLS certificates for encrypting data and verifying identities. This guide explains how to set up certificates in the Rublon Authentication Proxy configuration file for LDAPS, offers best practices, and clarifies common questions regarding certificate usage.


Understanding Certificates in the Rublon Authentication Proxy

Rublon Authentication Proxy uses certificates in two main contexts:


  • For LDAP over SSL/TLS (LDAPS) Connections: When Rublon Authentication Proxy connects to your LDAP/Active Directory (AD) server over LDAPS, it needs to trust the LDAP server's certificate.

  • For Clients Connecting to Rublon Authentication Proxy: Applications (e.g., VPNs) that connect to the Rublon Authentication Proxy need to trust the Auth Proxy’s certificate when using secure protocols like LDAPS.


Understanding Trust Relationships

  • Clients Trusting Rublon Authentication Proxy's Certificate:

    • Applications (e.g., VPNs, firewalls) that connect to the Rublon Authentication Proxy must trust the certificate presented by the Rublon Authentication Proxy.

    • If using a self-signed certificate for Rublon Authentication Proxy, you will need to add this certificate to the trusted store of each application.

  • Rublon Authentication Proxy Trusting LDAP/AD Server's Certificate:

    • Rublon Authentication Proxy must trust the LDAP/AD server's certificate when connecting over LDAPS.

    • By default, Rublon Authentication Proxy will accept any certificate from the LDAP server. By placing the LDAP server's certificate in the directory specified by ca_certs_dir_path, you can narrow down the servers with which the Rublon Authentication Proxy can establish a trusted connection.


Example Scenario

Certificate 1 (Rublon Authentication Proxy Certificate):

  • This is a certificate associated with the Rublon Authentication Proxy.

  • Integrated applications trust this certificate by adding it to their trusted certificates store.

  • The cert_path parameter in the Auth Proxy configuration file specifies the path to this certificate.

  • We recommend that the certificate be issued by a CA trusted by the client applications (e.g., VPNs, firewalls). This CA does not necessarily have to be the LDAP server's CA. Using a certificate from a trusted internal CA or a well-known external CA can simplify the trust relationship for clients connecting to Rublon Authentication Proxy.


Certificate 2 (LDAP Server Certificate):

  • This is a certificate associated with the LDAP server.

  • This certificate is placed in the directory specified by ca_certs_dir_path in Auth Proxy’s configuration file. When connecting securely over LDAPS, this tells the Auth Proxy that this is a trusted certificate.

  • We recommend that this certificate be generated by the Certificate Authority (CA) of the LDAP server. However, this is not required and a self-signed certificate may suffice in some use cases.


Certificate Parameters in the Rublon Auth Proxy Configuration File

In the config.yaml file of Rublon Authentication Proxy, you will find the following certificate-related parameters:


In the proxy_servers section:

  • cert_path: The path to the SSL/TLS certificate file that Rublon Authentication Proxy presents to clients.

  • pkey_path: The path to the private key file associated with the cert_path certificate.

  • pkey_password: The password for the private key file. If the key is not protected, you can remove this field.


In the auth_sources section:

  • ca_certs_dir_path: The directory path where the certificates that the Auth Proxy trusts when connecting to LDAP/Active Directory servers over LDAPS are stored.


Setting Up Rublon Authentication Proxy Certificate

Using an Existing Certificate

If you already have a certificate (e.g., issued by your organization's CA or a private certificate), you can use it with Rublon Authentication Proxy.

  • Ensure Compatibility: The certificate should be in PEM format (.crt, .pem).

  • Private Key: You must have access to the associated private key.

  • Configuration: Update the cert_path, pkey_path, and pkey_password in the Rublon Authentication Proxy configuration file accordingly.


Generating a Self-Signed Certificate for Rublon Authentication Proxy

You can use a self-signed certificate for the Rublon Authentication Proxy. This certificate will be used to secure communications between the Rublon Authentication Proxy and the applications that connect to it.


Steps to Generate a Self-Signed Certificate Using OpenSSL:


1. Generate a Private Key:

openssl genpkey -algorithm RSA -out private.key -aes256
  • This command generates a private key encrypted with AES-256.
  • You'll be prompted to set a password for the private key.


2. Generate a Certificate Signing Request (CSR):

openssl req -new -key private.key -out request.csr
  • You will be asked to provide details like Country, State, Organization, Common Name, etc.


3. Generate a Self-Signed Certificate:

openssl x509 -req -in request.csr -signkey private.key -out certificate.crt
  • This creates a self-signed certificate valid for a default period (usually 30 days). You can add -days 365 to increase validity.


4. Update the Rublon Authentication Proxy Configuration File:


proxy_servers:
  - name: LDAP-Proxy
    type: LDAP
    ip: 192.0.2.1
    port: 636
    auth_source: LDAP_SOURCE_1
    auth_method: email
    cert_path: /path/to/certificate.crt
    pkey_path: /path/to/private.key
    pkey_password: YOUR_PRIVATE_KEY_PASSWORD
  • Replace the paths with the actual locations of your certificate and private key.
  • If your private key is not password-protected, you can remove the pkey_password field.


Setting up LDAP/AD Server Certificate for Auth Proxy

When the Rublon Authentication Proxy connects to your LDAP/AD server over LDAPS, it needs to trust the server's SSL/TLS certificate. Here's how to set it up for Auth Proxy:


1. Export the LDAP server's certificate. If it is a self-signed certificate or issued by an internal CA, you will need to export it manually.

2. Create a directory to store trusted CA certificates if it does not exist and copy the LDAP server's certificate into this directory.

3. Update the Rublon Authentication Proxy configuration with the path to the certificate:

auth_sources:
  - name: LDAP_SOURCE_1
    type: LDAP
    ip: 192.0.2.1
    port: 636
    transport_type: plain
    search_dn:
    access_user_dn:
    access_user_password:
    ca_certs_dir_path: /path/to/ca_certs
  • Set the ca_certs_dir_path to the directory containing the LDAP server's certificate.


Rublon Authentication Proxy Certificates Best Practices

  • Use Strong Encryption: When generating keys and certificates, use strong algorithms like RSA with at least 2048-bit keys.

  • Secure Private Keys: Protect your private keys with strong passwords and secure file permissions.

  • Certificate Validity: Set an appropriate validity period for your certificates and have a process to renew them before expiration.

  • Trust Chains: Ensure that any intermediate certificates are included if your certificates are issued by a CA.

  • Consistent Naming: Use consistent and descriptive filenames for certificates and keys to avoid confusion.

  • Permissions: Set proper file permissions on the certificate and key files so that only the necessary services and administrators have access.

  • Backup Certificates and Keys: Keep secure backups of your certificates and keys in case of server failure or data loss.


Frequently Asked Questions

Do the certificates need to be issued by a trusted Certificate Authority (CA)?

No, the certificates can be self-signed. However, you need to ensure that any applications connecting to Rublon Authentication Proxy trust this certificate by adding it to their trusted certificate store. You must also ensure the paths to certificates are properly added in the Rublon Auth Proxy config file as per instructions in this guide.

Can I use a certificate issued by my LDAP/AD server's CA?

Yes, you can use a certificate issued by your LDAP/AD server's CA for Rublon Authentication Proxy. Ensure that the clients connecting to the Rublon Authentication Proxy trust this certificate.

What is the difference between cert_path and ca_certs_dir_path?

  • cert_path: Specifies the certificate file that Rublon Authentication Proxy presents to integrated applications connecting to it.

  • ca_certs_dir_path: Specifies the directory containing certificates that Rublon Authentication Proxy trusts when connecting to external services like LDAP/AD servers over LDAPS.


How do I ensure Rublon Authentication Proxy trusts my LDAP/AD server's certificate?

By default, all certificates are accepted (including self-signed ones). If you wish to restrict the servers acceptable by the Auth Proxy, place one or more LDAP/AD server's certificates in the directory specified by ca_certs_dir_path. This allows the Rublon Authentication Proxy to trust and establish a secure connection only with those LDAP/AD servers and deny all other servers.

Helpful Links

Rublon Authentication Proxy - Documentation



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article