Following the Hello messages, the server sends its certificate in a certificate message if it is to be authenticated. If required, a ServerKeyExchange message may also be sent. See RFC 5246, section 7.3, for more information about the authentication behavior on the LDAP server.
The trust-anchor-profile command determines whether the server must be authenticated by the client.
config>system>security>tls
client-tls-profile ldap create
[no] trust-anchor-profileOne of the following two configurations can be used to establish server connectivity:
If trust-anchor-profile is configured under the TLS client-tls-profile context, the server must be authenticated via the trust-anchor-profile command before a trusted connection is established between the server and the client.
If there is no trust-anchor-profile under the client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring basic certificate checks to validate the certificate. These basic checks are as follows:
time validity
The certificate is checked to ensure that it is neither expired nor not yet valid.
certificate type
The certificate is not a CA certificate.
keyUsage extension
If present, this must contain a digital signature and key encryption.
host verification
The IP address or DNS name of the server is looked up, if available (for LDAP, only the IP address is used), in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.