Certificate Types & Requirements for Laserfiche Directory Server

To facilitate user authentication and secure communication between Laserfiche Directory Server and other clients, it is recommended for all certificates to meet the following requirements:

  • Valid SHA-256 certificate issued by a trusted certificate authority (CA).
  • Issue each certificate to the internal and external (if applicable) Fully Qualified Domain Name (FQDN) of the machine using Subject Alternative Name (SAN).

Additional Requirements:

  1. The certificate bound to port 443 in Internet Information Services (IIS): This is the HTTPS TLS certificate that is used by the browser to secure communication between the browser and IIS.
    • Key Usage includes the Server and Client Authentication extensions.
    • Private key is present in the machine's Personal store.
    • The machine should trust its own server certificate (or the CA that issued it).
  2. The certificate bound to port 5049 in XMLEndpointUtility: This certificate is used to secure communication between Laserfiche Directory Server and Laserfiche applications using HTTPS (including STS).
    • Key Usage includes the Server and Client Authentication extensions.
    • Private key is added to the Laserfiche Directory Server machine's Personal store.
    • The Laserfiche Directory Server machine should trust its own server certificate (or the CA that issued it)
  3. The server certificate used for alternate service on the Laserfiche Directory Server Machine: This certificate is used to secure Windows Communication Foundation (WCF) communication between end applications and Laserfiche Directory Server when using alternate service (certificate authentication).
    • Key Usage includes the Server and Client Authentication extensions.
    • The Laserfiche Directory Server machine should trust its own server certificate as well as the client alternate service certificates from each application machine (or the CA(s) that issued them).
    • The machine has the private key to its certificate and read rights have been granted to the service user.
    • The Server certificate needs to be issued to the true fully qualified domain name (FQDN) of the Laserfiche Directory Server machine and the true FQDN needs to be used as the hostname set in the Directory Server's endpoint configuration utility, XmlEndpointUtility.exe. The client also must be pointed at this true FQDN value.
  4. The client certificates used for alternate service on the application machines: These certificates are used to secure Windows Communication Foundation (WCF) communication between end applications and Laserfiche Directory Server when using alternate service (certificate authentication).
    • Key Usage includes the Client Authentication extension.
    • The application machine(s) should trust their own client certificate as well as the Laserfiche Directory Server alternate service server certificate (or the CA that issued it).
    • Each application machine has the private key to its certificate and read rights have been granted to the IIS App Pool user(s).
    • The client certificate can be issued to any value; the only requirement is that the server trusts the certificate. For example, a subject of "CN=placeholder" can be considered valid on a client machine.
  5. The certificate used by the Laserfiche SCIM Service for communication with Laserfiche Directory Server: This certificate is used to secure communication between the Laserfiche SCIM Service and Laserfiche Directory Server.
    • Key Usage includes the Client Authentication extension.
    • The SCIM Service must have the private key to its certificate.