In a samba-domain at a customer we use the AD-DCs for authenticating VPN-users. I export the ca.pem and cert.pem from /var/lib/samba/private/tls and import them in the pfSense we use as VPN gateway. When the certs are close to expiry I rm the files from that directory and let samba recreate all 3 files (CA, key, cert) Is there a more elegant way of doing that renewal? IMO the CA could live longer, right? I assume this leads to openssl-fiddling, rm-ing is somewhat easier to do ;-) Maybe only rm the cert/key pair? Any tips welcome.
> In a samba-domain at a customer we use the AD-DCs for authenticating > VPN-users.> I export the ca.pem and cert.pem from /var/lib/samba/private/tls and > import them in the pfSense we use as VPN gateway.> When the certs are close to expiry I rm the files from that directory > and let samba recreate all 3 files (CA, key, cert)I also use OpenVPN with pfSense but I use the opposite method: create the CA, key, and certificate in pfSense, export them and use them in Samba, with the corresponding lines in the DC's smb.conf. For example: tls cafile = tls/myca.crt tls certfile = tls/mycertificate.crt tls keyfile = tls/mykey.key This way it is possible to have more control over the expiry dates of certificates.
On 1/7/25 6:34 AM, Stefan G. Weichinger via samba wrote:> > In a samba-domain at a customer we use the AD-DCs for authenticating > VPN-users. > > I export the ca.pem and cert.pem from /var/lib/samba/private/tls and > import them in the pfSense we use as VPN gateway. > > When the certs are close to expiry I rm the files from that directory > and let samba recreate all 3 files (CA, key, cert) > > Is there a more elegant way of doing that renewal? > > IMO the CA could live longer, right? > > I assume this leads to openssl-fiddling, rm-ing is somewhat easier to > do ;-) > > Maybe only rm the cert/key pair? > > Any tips welcome. >You could run your own CA authority. There are many alternative for large deployments (I use dogtag embbeded on FreeIPA), but for smaller ones you could do it with local GUIs like XCA (1) (1) https://www.hohnstaedt.de/xca/ You can create anew CA for 20 years for example, and renew your Samba certificates every year or the period you like. You just replace the samba CA certificate and key files with one generated by your CA.