On 5/12/21 10:15 AM, Stefan G. Weichinger via samba
wrote:>
> At a few customers I run OpenVPN with authentication against the Samba
> DCs, the OpenVPN-server runs on a pfsense appliance.
>
> To run this encrypted I had to export the Samba CAs and import them on
> the pfsense machine.
>
> Now these CAs are only valid for about two months anymore and I plan to
> renew them on the pfsense.
>
> As far as documented(=remember ;-)) I took them from
>
> # ls -l /var/lib/samba/private/tls
>
> insgesamt 12
>
> -rw-r--r-- 1 root root 2074 Aug 29? 2019 ca.pem
>
> -rw-r--r-- 1 root root 2078 Aug 29? 2019 cert.pem
>
> -rw------- 1 root root 3243 Aug 29? 2019 key.pem
>
> As you can see the files in there are ~1.5 yrs old.
>
> My questions:
>
> Does Samba somehow renew them? If yes, how and when? Can I manually
> trigger that?
>
> I wrote in a posting:
>
> "imported the samba-AD-CA (ca.pem) as additional CA into pfsense"
>
> Is that correct or do I have to build some chained.pem or something?
>
I recommend you manage your own CA and replace those files autogenerated
by the Samba DC with yout CA and certificates signed by it.
Depending on your instalation size, you will need automation with tools
like , dogtag (dogtagpki.org) for example, or use smaller graphical
tools like XCA