It sounds like you may have specified the wrong certificate for the incoming LDAP connection.
In this configuration it’s important to understand when the Duo Authentication proxy is acting as an LDAP server and when it is acting as an LDAP client. It’s a server to CyberArk, and a client to AD.
The certificate you specify in
[ldap_server_auto] should be distinct from the one used by your AD server. The certificate is used only for the incoming LDAP connection from the downstream service (CyberArk, in this case). You need to use a certificate and key pair issued to your Duo Authentication Proxy, with the Duo proxy server hostname as the subject or subject alternate name. If your Duo Proxy’s hostname is
duo.example.com and your DC is
dc.example.com, and you are using a cert issued to
dc.example.com for the Duo Proxy as LDAP server, and CyberArk is trying to match the cert’s hostname to the server’s, then the connection will fail (as you saw).
If you want the Duo Authentication Proxy server to contact your AD server using LDAPS, then you would add the DC’s certificate in the
Finally, make sure that the KEY file doesn’t require a password! If you are issuing the cert from a Windows CA you’ll need to split the PFX and also use openssl or an online tool like SSL Shopper to remove the password.