Directory server certificate validation rules and use cases

Learn how you can use the Host and Host Aliases field for Directory origin server certificate validation.

EAA connector performs a directory (either AD, LDAP, AD LDS) origin server validation using the CA certificate that you upload into EAA management portal. EAA connector does a hostname validation against the directory server to confirm its identity.

EAA connector uses the Host and Host Aliases fields in the directory configuration to validate the LDAPS origin server identity.

For this, the EAA connector will do a match of server identity presented in the server certificate's DNS name in the Subject Alternative Name (SAN) or the Common Name (CN) in the 'Subject' field against the Host field in directory configuration in EAA, with SAN having the highest priority. If the server certificate includes a SAN of type DNS name, only that will be considered for doing the host match, otherwise the server certificate’s CN (the subject field) is considered. If you have multiple domain controllers or you’ve provided an IP address for the Host, you can use the Host Aliases field to match the LDAPS server’s identity.

Here are some use cases:

Use Case 1. A single domain is represented by two domain controllers (DC1 and DC2). Host matches SAN (DNS name). CN is ignored. Host-aliases is not needed.

In EAA while configuring the directory, you provide the domain name for the Host:

Both domain controllers have the domain name “mydirectory.mycompany.com” in the SAN.

Domain Controller1’s server certificate has these values for CN and SAN:

Domain Controller2’s server certificate has these values for CN and SAN:

Since the Host matches SAN, CN is ignored. Host Aliases is not needed in the configuration. Since there is a server match, the origin server is validated.

Use Case 2. A single domain is represented by one domain controller (DC1). Host has an IP address. Server certificate for DC1 only has a CN that represents the FQDN of DC1. So use Host-Aliases with the CN value.

In EAA, while configuring the directory, you provide an IP address for the Host:

Domain Controller1’s server certificate has a CN and does not have a SAN:

You provide the CN value in Host-Aliases field:

Since there is no SAN, CN value provided in the host-aliases is considered a host match and origin server is validated.

Use Case 3. A single domain is represented by two domain controllers (DC1 and DC2). Host has a different domain name that does not match the CN in both server certificates. SAN is absent in both server certificates. So use Host-Aliases with CN values of both certificates.

In EAA, while configuring the directory, you provide the domain name for the Host :

Let’s assume each domain controller has it’s own domain controller certificate. This domain name is not there in any of the domain controller certificates.

Domain Controller1’s server certificate has a CN and does not have a SAN:

Domain Controller2’s server certificate has a CN and does not have a SAN:

You can use Host Aliases to configure the host names that match the server identity. Since, SAN is absent, you can provide the CN values of the two domain controllers:

CN values of the certificates of both the domain controllers (DC1 and DC2) are provided in the host-aliases as comma-separated values. Since there is no SAN, if EAA reaches any of the domain controllers, it is considered a host match and origin server is validated.

Alternatively, if you don’t configure Host Aliases, the EAA connector does a DNS lookup on the Host value for resolving the DNS and if it returns a single or multiple CNAMEs, the EAA connector will use them for host match.

Note: EAA connector also supports wildcard match for the hostname validation.