Certificate Requirements for Laserfiche Directory Server

March 4, 2020 | KB: 1014132
Directory Server 10.4

Summary

Various certificates are used to secure communication and facilitate user authentication between internet clients and Laserfiche Directory Server.

Certificate Types & Requirements

To facilitate user authentication and secure communication between Laserfiche Directory Server and other clients, it is recommended for all certificates to meet the following requirements:

  • Valid SHA-256 certificate issued by a trusted certificate authority (CA).
  • Issue each certificate to the internal and external (if applicable) Fully Qualified Domain Name (FQDN) of the machine using Subject Alternative Name (SAN).

Additional Requirements:

  1. The certificate bound to port 443 in Internet Information Services (IIS): This is the HTTPS SSL certificate that is used by the browser to secure communication between the browser and IIS.
    • Key Usage includes the Server and Client Authentication extensions.
    • Private key is present in the machine's Personal store.
    • The machine should trust its own server certificate (or the CA that issued it).
  2. The certificate bound to port 5049 in XMLEndpointUtility: This certificate is used to secure communication between Laserfiche Directory Server and Laserfiche applications using HTTPS (including STS).
    • Key Usage includes the Server and Client Authentication extensions.
    • Private key is added to the Laserfiche Directory Server machine's Personal store.
    • The Laserfiche Directory Server machine should trust its own server certificate (or the CA that issued it)
  3. The server certificate used for alternate service on the Laserfiche Directory Server Machine: This certificate is used to secure Windows Communication Foundation (WCF) communication between end applications and Laserfiche Directory Server when using alternate service (certificate authentication).
    • Key Usage includes the Server and Client Authentication extensions.
    • The Laserfiche Directory Server machine should trust its own server certificate as well as the client alternate service certificates from each application machine (or the CA(s) that issued them).
    • The machine has the private key to its certificate and read rights have been granted to the service user.
  4. The client certificates used for alternate service on the application machines: These certificates are used to secure Windows Communication Foundation (WCF) communication between end applications and Laserfiche Directory Server when using alternate service (certificate authentication).
    • Key Usage includes the Client Authentication extension.
    • The application machine(s) should trust their own client certificate as well as the Laserfiche Directory Server alternate service server certificate (or the CA that issued it).
    • Each application machine has the private key to its certificate and read rights have been granted to the IIS App Pool user(s).

Note: To learn more about Directory Server and Security Token Service (STS) configuration, navigate to the Initial Configuration page.

Note: To learn more about single sign on, navigate to Configuring Single Sign-On for Laserfiche Web Products.