help with TLS certificates for Samba4

Andrew Tridgell tridge at osdl.org
Mon Jun 20 23:29:27 GMT 2005 

I'm hoping someone on the list can help me work out some issues with
the automated TLS certificate generation in Samba4.

I have now generalised the tls code in Samba4, so we have a lib/tls/
subsystem that is used by both our internal LDAP code (both client and
server) and our internal web server.

As I have mentioned previously, sites that have real certificates will
be able to use those, but smbd will auto-generate self-signed
certificates for sites that don't.

Mostly recently I have been trying to test our ldb tools using ldaps
against a w2k3 server. To do that I need to install a certificate on
w2k3 for the windows LDAP server to use. If I don't have a certificate
installed on w2k3 then I get the following in the event log:

  LDAP over Secure Sockets Layer (SSL) will be unavailable at this
  time because the server was unable to obtain a certificate.

So, I would like to install the certificates that have been auto
generated by smbd into a w2k3 server. To do that I have run:

   openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \
       -name "Samba" -out samba.p12

Then double-clicked on the samba.p12 in windows. That launches the
certificate install wizard. Unfortunately it gives me an error like
this:

  An internal error occurred. This can be either the user profile is
  not accessible or the private key that you are importing might
  require a cryptographic service provider that is not installed on
  your system.

I suspect one of the following possible problems:

  1) w2k3 cannot handle certificates generated by gnutls. 

  2) I am not passing some mandatory option to gnutls when generating
  the certificate, and thus end up leaving off some important
  attribute in the generated certificate.

  3) the conversion to a p12 file using openssl is broken.

I have placed the certificates and generated p12 files in
http://samba.org/~tridge/tls/ and I would greatly appreciate it if
someone more knowledgeable about TLS certificates on windows than I am
could take a look at them and see if they can spot the problem. The
password on the p12 file is "samba".

Cheers, Tridge

More information about the samba-technical mailing list