help with TLS certificates for Samba4

Gavin Henry ghenry at suretecsystems.com
Tue Jun 21 11:35:35 GMT 2005


> So, I would like to install the certificates that have been auto
> generated by smbd into a w2k3 server. To do that I have run:
>
>    openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \
>        -name "Samba" -out samba.p12
>
> Then double-clicked on the samba.p12 in windows. That launches the
> certificate install wizard. Unfortunately it gives me an error like
> this:
>
>   An internal error occurred. This can be either the user profile is
>   not accessible or the private key that you are importing might
>   require a cryptographic service provider that is not installed on
>   your system.

I get the same error.

>
> I suspect one of the following possible problems:
>
>   1) w2k3 cannot handle certificates generated by gnutls.

I don't think that this is the case.

>
>   2) I am not passing some mandatory option to gnutls when generating
>   the certificate, and thus end up leaving off some important
>   attribute in the generated certificate.

Doesn't look like it according to every technical doc I've ever read.

>
>   3) the conversion to a p12 file using openssl is broken.

There is:

http://www.openssl.org/docs/apps/pkcs12.html#BUGS

and:

http://linuxreviews.org/howtos/networking/ipsec-howto/en/x577.html

"When generating certificates for Windows clients you have to make sure
that the lifetime of the certificate lies within the lifetime of the CA.
If the lifetime of the certificate exceeds the lifetime of the CA, the
windows client will not accept the certificate!"


You might already know about these or might not, as you are a very busy man.

It is possible not to use the cacert and generate the p12, then import the
cacert before importing the p12 file.

Thanks,

Gavin.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry at suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/


More information about the samba-technical mailing list