Export the active directory server's root CERTIFICATE

Export the Active Directory server's root CERTIFICATE to enable secure connection to the Cloud-Delivered Firewall Management Center for obtaining user identity information and authentication purposes.

The task that follows discusses how to export the Active Directory server's root CERTIFICATE, which is required to connect securely to the Cloud-Delivered Firewall Management Center to obtain user identity information.

These tasks apply to Microsoft Active Directory only. If you use LDAP, consult an appropriate reference for the procedure.

Before you begin

You must know the name of your Active Directory server's root CERTIFICATE. The root CERTIFICATE might have the same name as the domain or the CERTIFICATE might have a different name. The procedure that follows shows one way you can find the name; there could be other ways, however.

Follow these steps to export the Active Directory server's root certificate:

Procedure

Step 1

Find the name of the Active Directory Server's root CERTIFICATE using the Microsoft Management Console.

This is one way to find the name of the Active Directory Server's root CERTIFICATE; consult Microsoft documentation for more information:

  1. Log in to the Active Directory server as a user with privileges to run the Microsoft Management Console.

  2. Click Start and enter mmc .

  3. Click File > Add/Remove Snap-in

  4. From the Available Snap-ins list in the left pane, click Certificates (local).

  5. Click Add.

  6. At the Certificates snap-in dialog box, click Computer Account and click Next.

  7. At the Select Computer dialog box, click Local Computer and click Finish.

  8. Windows Server 2012 only. Repeat the preceding steps to add the Certification Authority snap-in.

  9. Click Console Root > Trusted Certification Authorities > Certificates.

    The server's trusted certificates are displayed in the right pane. The following figure is only an example for Windows Server 2012; yours will probably look different.

    Finding the Active Directory's root CERTIFICATE under Trusted Root CERTIFICATE Authorities.

Step 2

Export the CERTIFICATE using the certutil command.

This is only one way to export the CERTIFICATE. It's a convenient way to export the CERTIFICATE, especially if you can run a web browser and connect to the Cloud-Delivered Firewall Management Center from the Active Directory server.

  1. Click Start and enter cmd .

  2. Enter the command certutil -CA.cert CERTIFICATE-name .

    The server's CERTIFICATE is displayed on the screen.

  3. Copy the entire CERTIFICATE to the clipboard, starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- (including those strings).

What to do next

Import the Active Directory server's CERTIFICATE into the Cloud-Delivered Firewall Management Center as a Trusted CA CERTIFICATE as discussed in Adding a Trusted CA Object.