help with TLS certificates for Samba4

Andrew Tridgell tridge at
Mon Jun 20 23:29:27 GMT 2005

I'm hoping someone on the list can help me work out some issues with
the automated TLS certificate generation in Samba4.

I have now generalised the tls code in Samba4, so we have a lib/tls/
subsystem that is used by both our internal LDAP code (both client and
server) and our internal web server.

As I have mentioned previously, sites that have real certificates will
be able to use those, but smbd will auto-generate self-signed
certificates for sites that don't.

Mostly recently I have been trying to test our ldb tools using ldaps
against a w2k3 server. To do that I need to install a certificate on
w2k3 for the windows LDAP server to use. If I don't have a certificate
installed on w2k3 then I get the following in the event log:

  LDAP over Secure Sockets Layer (SSL) will be unavailable at this
  time because the server was unable to obtain a certificate.

So, I would like to install the certificates that have been auto
generated by smbd into a w2k3 server. To do that I have run:

   openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \
       -name "Samba" -out samba.p12

Then double-clicked on the samba.p12 in windows. That launches the
certificate install wizard. Unfortunately it gives me an error like

  An internal error occurred. This can be either the user profile is
  not accessible or the private key that you are importing might
  require a cryptographic service provider that is not installed on
  your system.

I suspect one of the following possible problems:

  1) w2k3 cannot handle certificates generated by gnutls. 

  2) I am not passing some mandatory option to gnutls when generating
  the certificate, and thus end up leaving off some important
  attribute in the generated certificate.

  3) the conversion to a p12 file using openssl is broken.

I have placed the certificates and generated p12 files in and I would greatly appreciate it if
someone more knowledgeable about TLS certificates on windows than I am
could take a look at them and see if they can spot the problem. The
password on the p12 file is "samba".

Cheers, Tridge

More information about the samba-technical mailing list