First time posting here, be gentle.
Situation: I have a requirement, to link our printer/scanner to our Azure AD (so that it can lookup users etc.). I have enabled Azure AD Domain Services with LDAP enabled, and this works. I have tested the LDAP lookup by creating a certificate with the x509 extensions per the Azure documentation, installed the certificate for LDAP in AADDS and on my laptop, and can successfully search the domain. Without the certificate, it’s not working -so security wise it seems okay this far.
Azure AD DS says:
Upload a .PFX file containing the certificate to be used for secure LDAP access to this managed domain
The requirements for Azure AD DS LDAP certificate is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/configure-ldaps:
Requirements for the secure LDAP certificate Acquire a valid certificate per the following guidelines, before you enable secure LDAP. You encounter failures if you try to enable secure LDAP for your managed domain with an invalid/incorrect certificate. Trusted issuer - The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. This authority may be a public certification authority (CA) or an Enterprise CA trusted by these computers. Lifetime - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires. Subject name - The subject name on the certificate must be your managed domain. For instance, if your domain is named 'contoso100.com', the certificate's subject name must be 'contoso100.com'. Set the DNS name (subject alternate name) to a wildcard name for your managed domain. Key usage - The certificate must be configured for the following uses - Digital signatures and key encipherment. Certificate purpose - The certificate must be valid for SSL server authentication.
with an example on how to create it.
$ lifetime=Get-Date New-SelfSignedCertificate -Subject contoso100.com ` -NotAfter $ lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment ` -Type SSLServerAuthentication -DnsName *.contoso100.com, contoso100.com
The printer is HP PageWide Pro 477dw MFP. I have been unable to find any real guides related to this printer and certificates/LDAP. The settings for the printer certificate says:
The file format must be PEM/Base64 encoded (.pem, .cer, .der).
Complication: The printer requires a RFC 5280 compliant certificate. I can create an RFC 5280 compliant certificate, but when I do it with the extensions required by ADDS LDAP, the printer does not validate it as RFC 5280 compliant. If I create a certificate without extensions, the printer can validate the certificate just fine, but then ADDS wont validate it.
Where do I go from here?