Hi everyone, I have a question about certificates generated on Samba AD/DC deployment. After all server configuration, I notice that there are ca.pem, cert.pem and key.pem on /usr/local/samba/private/tls directory. I realize the ca.pem and cert.pem have 2 years validity. Will Samba AD/DC generate automatically new certs before this time over? Or, must I have to generate them manually? -- Igor Sousa
You have to manage the certificates via some other PKI tool(s). Personally I use Saltstack which is the config management tool we use across our environment. It has a PKI module which works quite well for issuing certs to Linux servers and clients as well as managing the CA trust certs on the clients. I also recommend that certs be managed active automation with short renewal periods (we use 90 days) which is much easier with configuration automation like Saltstack. https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html <https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html> We use an offline, self-signed root cert, which in turn has signed 3-4 intermediate CA certs. One intermediate CA cert is used by Saltstack to automatically sign cert requests from Linux hosts, and another is issued to our Windows 2012 R2 Active Directory Certificate services install, which in turn automatically signs cert requests by Windows 10, Windows Server, AND macOS hosts. (We use a GPO to push all our internal root and intermediate CA certs to Windows hosts). With this structure, our Windows hosts trust all our internal server certs, and server to server connections are all protected by TLS as well. Enterprise applications can authenticate against AD using SSL (ldaps). In addition, since all OS variants have a valid cert that is automatically managed, we can seamlessly use EAP-TLS for wireless and wired network authentication (with FreeRADIUS which also gets it?s cert signed by Saltstack). I?m really curious about similar deployments built or managed by other mailing list members. What automation tools do you use for managing PKI? I know there are several commercial PKI management solutions, but we haven?t tried any of them. In TLS we trust! hahaha :) Gabben> On Jun 14, 2020, at 12:24 PM, Igor Sousa via samba <samba at lists.samba.org> wrote: > > Hi everyone, > > I have a question about certificates generated on Samba AD/DC deployment. > After all server configuration, I notice that there are ca.pem, cert.pem > and key.pem on /usr/local/samba/private/tls directory. I realize the ca.pem > and cert.pem have 2 years validity. Will Samba AD/DC generate automatically > new certs before this time over? Or, must I have to generate them manually? > > -- > Igor Sousa > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote:> Hi everyone, > > I have a question about certificates generated on Samba AD/DC > deployment. > After all server configuration, I notice that there are ca.pem, > cert.pem > and key.pem on /usr/local/samba/private/tls directory. I realize the > ca.pem > and cert.pem have 2 years validity. Will Samba AD/DC generate > automatically > new certs before this time over? Or, must I have to generate them > manually?No, they will need be automatically renewed. So yes, you need to generate them manually. The original intention was that the certificates be replaced by the administrator. However, I think we would accept patches to extend the initial validity on the autogenerated certificates, given that replacement almost never happens. This makes more sense then to renew them, as that would break software which has the current certificate manually accepted, and potentially break a manually installed certificate. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Thanks Gabben and Andrew. I've understood but a new question emerged: Each DC server on my domain has a different pair cert/key and a different CA cert after deployment, correct? If so, is it a best practice to generate new cert for each DC server and sign them with a unique CA? OBS: Every DC servers belongs to the same domain. -- Igor Sousa Em dom., 14 de jun. de 2020 ?s 16:46, Andrew Bartlett <abartlet at samba.org> escreveu:> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote: > > Hi everyone, > > > > I have a question about certificates generated on Samba AD/DC > > deployment. > > After all server configuration, I notice that there are ca.pem, > > cert.pem > > and key.pem on /usr/local/samba/private/tls directory. I realize the > > ca.pem > > and cert.pem have 2 years validity. Will Samba AD/DC generate > > automatically > > new certs before this time over? Or, must I have to generate them > > manually? > > No, they will need be automatically renewed. > > So yes, you need to generate them manually. > > The original intention was that the certificates be replaced by the > administrator. > > However, I think we would accept patches to extend the initial validity > on the autogenerated certificates, given that replacement almost never > happens. This makes more sense then to renew them, as that would break > software which has the current certificate manually accepted, and > potentially break a manually installed certificate. > > Andrew Bartlett > > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > > >