Get Windows AD DC with SHA1 signed cert to accept LDAP (StartTLS) connections from OpenSSL 3 clients

US flag

Trying to get Windows Active Directory DC (with SHA1 signed certificate) to accept LDAP(StartTLS) connections from WordPress Server using Next Active Directory Integration plugin. WordPress is running on PHP 8.2.4 and OpenSSL 3.0.8 which by default no longer allows use of certificates signed using SHA1. Want to know if Windows AD LDAP can be configured with multiple/fallback certificates to make this work without changing LDAP client configuration.

br flag

While I don't believe you can force Windows to fallback to a lower standard certificate - that sounds like the seed of yet another vulnerability - you could instead have multiple DCs with different certs on each to allow for your scenario.

Presumably, you're using a SHA1 certificate because you have some legacy application which can't work with modern hash algorithms?

Assuming that the application which only accepts SHA1 hash algorithms is a minority:

  1. create a SHA1 self-signed certificate for use between this old application and one or two DCs; then
  2. upgrade your PKI to SHA256 which can be used to for the rest of your estate, including your WordPress site.

Alternatively, if the SHA1 only applications are a majority:

  1. create a SHA256 self-signed certificate for a new DC (or two) which is accessed by the WordPress server; then
  2. Find a mirror and have a stern word with yourself about the risks of using SHA1 ;-)
cn flag

Active Directory cannot be configured to use multiple certificates. You need to replace the SHA1-signed certificate with a SHA256-signed certificate. Or configure WordPress/OpenSSL 3.0.1 or higher components to work with SHA1-signed certificates.

SHA1 was deprecated over 10 years ago. It's easier to be proactive about these things than to be compelled from one upgrade to another.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.