[Samba] Set same TLS Root CA cert on all Samba DC's?
Kees van Vloten
keesvanvloten at gmail.com
Wed Oct 25 15:21:13 UTC 2023
Op 25-10-2023 om 17:13 schreef Alex via samba:
> And will Samba regenerate it's own server certs from that CA, or do I need
> to externally generate & renew them with openssl?
> Does anything else need to be done before or after replacing the certs in
> Samba? This won't break server/domain trust with domain joined workstations?
Anything that server that uses TLS will create some certs, or use the
distro default snake-oil certs.
However in order to get secure communication, you need to have a common
ca-cert on all your machines (servers and clients) and generate a cert
and key pair for each server.
Openssl can do it, but I prefer EasyRSA, which uses openssl under the hood.
- Kees.
>
> Thanks
>
> On Wed, Oct 25, 2023 at 8:08 AM Kees van Vloten via samba <
> samba at lists.samba.org> wrote:
>
>> Op 25-10-2023 om 16:45 schreef Alex via samba:
>>> Hi!
>>>
>>> Is there a recommended way to set all the Samba DC's to use the same TLS
>>> Root CA certificate?
>> In smb.conf put a line, like this to let it use a specific ca-cert:
>>
>> tls cafile = /etc/ssl/certs/ca.pem
>>
>> Now it is just a matter of distributing that to all the DCs
>>
>> - Kees.
>>
>>> Thanks,
>>>
>>> Peter
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list