Technical Tip: Configure LDAPS with certificate signed by Trusted Certificate Authority

In order to implement the LDAPS for Secure LDAP connection over SSL with the LDAP server, if the LDAP server is using a Trusted Third-Party Certificate Authority, there is no need to import the CA certificate of the Certificate Authority that signed the certificate, in the FortiGate.

FortiGate already has Root CA Certificates of Trusted CA under the certificate section of the LDAP settings.

In this Scenario, GoDaddy is used as the Certificate Authority and the LDAP server is using the certificate signed by this CA, a root CA Certificate for GoDaddy is already available under:

Go to User & Device -> LDAP -> Edit LDAP server -> Enable Secure Connection -> Protocol: LDAPS > Certificate -> Go_Daddy_Root_Certificate_authority.

Once selected, test the connectivity using TEST CONNECTIVITY & which should show as successful as follows:

Note:
The FortiGate/FortiProxy LDAPS configuration currently supports selecting only one CA certificate for trust validation, which indeed requires synchronization of domain controller certificate updates with the FortiGate/FortiProxy configuration.