The Rublon Authentication Proxy serves as a bridge between your Rublon-integrated services and the Rublon Multi-Factor Authentication (MFA) platform. To ensure secure LDAPS communication, the Auth Proxy uses SSL/TLS certificates for encrypting data and verifying identities. This guide explains how to set up certificates in the Rublon Authentication Proxy configuration file for LDAPS, offers best practices, and clarifies common questions regarding certificate usage.
Understanding Certificates in the Rublon Authentication Proxy
Rublon Authentication Proxy uses certificates in two main contexts:
For LDAP over SSL/TLS (LDAPS) Connections: When Rublon Authentication Proxy connects to your LDAP/Active Directory (AD) server over LDAPS, it needs to trust the LDAP server's certificate.
For Clients Connecting to Rublon Authentication Proxy: Applications (e.g., VPNs) that connect to the Rublon Authentication Proxy need to trust the Auth Proxy’s certificate when using secure protocols like LDAPS.
Understanding Trust Relationships
Clients Trusting Rublon Authentication Proxy's Certificate:
Applications (e.g., VPNs, firewalls) that connect to the Rublon Authentication Proxy must trust the certificate presented by the Rublon Authentication Proxy.
If using a self-signed certificate for Rublon Authentication Proxy, you will need to add this certificate to the trusted store of each application.
Rublon Authentication Proxy Trusting LDAP/AD Server's Certificate:
Rublon Authentication Proxy must trust the LDAP/AD server's certificate when connecting over LDAPS.
By default, Rublon Authentication Proxy will accept any certificate from the LDAP server. By placing the LDAP server's certificate in the directory specified by ca_certs_dir_path, you can narrow down the servers with which the Rublon Authentication Proxy can establish a trusted connection.
Example Scenario
Certificate 1 (Rublon Authentication Proxy Certificate):
This is a certificate associated with the Rublon Authentication Proxy.
Integrated applications trust this certificate by adding it to their trusted certificates store.
The cert_path parameter in the Auth Proxy configuration file specifies the path to this certificate.
We recommend that the certificate be issued by a CA trusted by the client applications (e.g., VPNs, firewalls). This CA does not necessarily have to be the LDAP server's CA. Using a certificate from a trusted internal CA or a well-known external CA can simplify the trust relationship for clients connecting to Rublon Authentication Proxy.
Certificate 2 (LDAP Server Certificate):
This is a certificate associated with the LDAP server.
This certificate is placed in the directory specified by ca_certs_dir_path in Auth Proxy’s configuration file. When connecting securely over LDAPS, this tells the Auth Proxy that this is a trusted certificate.
We recommend that this certificate be generated by the Certificate Authority (CA) of the LDAP server. However, this is not required and a self-signed certificate may suffice in some use cases.
Certificate Parameters in the Rublon Auth Proxy Configuration File
In the config.yaml file of Rublon Authentication Proxy, you will find the following certificate-related parameters:
In the proxy_servers section:
cert_path: The path to the SSL/TLS certificate file that Rublon Authentication Proxy presents to clients.
pkey_path: The path to the private key file associated with the cert_path certificate.
pkey_password: The password for the private key file. If the key is not protected, you can remove this field.
In the auth_sources section:
ca_certs_dir_path: The directory path where the certificates that the Auth Proxy trusts when connecting to LDAP/Active Directory servers over LDAPS are stored.
Setting Up Rublon Authentication Proxy Certificate
Using an Existing Certificate
If you already have a certificate (e.g., issued by your organization's CA or a private certificate), you can use it with Rublon Authentication Proxy.
Ensure Compatibility: The certificate should be in PEM format (.crt, .pem).
Private Key: You must have access to the associated private key.
Configuration: Update the cert_path, pkey_path, and pkey_password in the Rublon Authentication Proxy configuration file accordingly.
Generating a Self-Signed Certificate for Rublon Authentication Proxy
You can use a self-signed certificate for the Rublon Authentication Proxy. This certificate will be used to secure communications between the Rublon Authentication Proxy and the applications that connect to it.
Steps to Generate a Self-Signed Certificate Using OpenSSL:
1. Generate a Private Key:
openssl genpkey -algorithm RSA -out private.key -aes256
- This command generates a private key encrypted with AES-256.
- You'll be prompted to set a password for the private key.
2. Generate a Certificate Signing Request (CSR):
openssl req -new -key private.key -out request.csr
- You will be asked to provide details like Country, State, Organization, Common Name, etc.
3. Generate a Self-Signed Certificate:
openssl x509 -req -in request.csr -signkey private.key -out certificate.crt
- This creates a self-signed certificate valid for a default period (usually 30 days). You can add -days 365 to increase validity.
4. Update the Rublon Authentication Proxy Configuration File:
proxy_servers:
- name: LDAP-Proxy
type: LDAP
ip: 192.0.2.1
port: 636
auth_source: LDAP_SOURCE_1
auth_method: email
cert_path: /path/to/certificate.crt
pkey_path: /path/to/private.key
pkey_password: YOUR_PRIVATE_KEY_PASSWORD- Replace the paths with the actual locations of your certificate and private key.
- If your private key is not password-protected, you can remove the pkey_password field.
Setting up LDAP/AD Server Certificate for Auth Proxy
When the Rublon Authentication Proxy connects to your LDAP/AD server over LDAPS, it needs to trust the server's SSL/TLS certificate. Here's how to set it up for Auth Proxy:
1. Export the LDAP server's certificate. If it is a self-signed certificate or issued by an internal CA, you will need to export it manually.
2. Create a directory to store trusted CA certificates if it does not exist and copy the LDAP server's certificate into this directory.
3. Update the Rublon Authentication Proxy configuration with the path to the certificate:
auth_sources:
- name: LDAP_SOURCE_1
type: LDAP
ip: 192.0.2.1
port: 636
transport_type: plain
search_dn:
access_user_dn:
access_user_password:
ca_certs_dir_path: /path/to/ca_certsSet the ca_certs_dir_path to the directory containing the LDAP server's certificate.
Rublon Authentication Proxy Certificates Best Practices
Use Strong Encryption: When generating keys and certificates, use strong algorithms like RSA with at least 2048-bit keys.
Secure Private Keys: Protect your private keys with strong passwords and secure file permissions.
Certificate Validity: Set an appropriate validity period for your certificates and have a process to renew them before expiration.
Trust Chains: Ensure that any intermediate certificates are included if your certificates are issued by a CA.
Consistent Naming: Use consistent and descriptive filenames for certificates and keys to avoid confusion.
Permissions: Set proper file permissions on the certificate and key files so that only the necessary services and administrators have access.
Backup Certificates and Keys: Keep secure backups of your certificates and keys in case of server failure or data loss.
Frequently Asked Questions
Do the certificates need to be issued by a trusted Certificate Authority (CA)?
No, the certificates can be self-signed. However, you need to ensure that any applications connecting to Rublon Authentication Proxy trust this certificate by adding it to their trusted certificate store. You must also ensure the paths to certificates are properly added in the Rublon Auth Proxy config file as per instructions in this guide.
Can I use a certificate issued by my LDAP/AD server's CA?
Yes, you can use a certificate issued by your LDAP/AD server's CA for Rublon Authentication Proxy. Ensure that the clients connecting to the Rublon Authentication Proxy trust this certificate.
What is the difference between cert_path and ca_certs_dir_path?
cert_path: Specifies the certificate file that Rublon Authentication Proxy presents to integrated applications connecting to it.
ca_certs_dir_path: Specifies the directory containing certificates that Rublon Authentication Proxy trusts when connecting to external services like LDAP/AD servers over LDAPS.
How do I ensure Rublon Authentication Proxy trusts my LDAP/AD server's certificate?
By default, all certificates are accepted (including self-signed ones). If you wish to restrict the servers acceptable by the Auth Proxy, place one or more LDAP/AD server's certificates in the directory specified by ca_certs_dir_path. This allows the Rublon Authentication Proxy to trust and establish a secure connection only with those LDAP/AD servers and deny all other servers.
Helpful Links
Rublon Authentication Proxy - Documentation
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article