[Samba] Question about certificates on Samba AD/DC

Igor Sousa igorvolt at gmail.com
Sun Jun 14 20:15:34 UTC 2020

Thanks Gabben and Andrew. I've understood but a new question emerged: Each
DC server on my domain has a different pair cert/key and a different CA
cert after deployment, correct?

If so, is it a best practice to generate new cert for each DC server and
sign them with a unique CA? OBS: Every DC servers belongs to the same

Igor Sousa

Em dom., 14 de jun. de 2020 às 16:46, Andrew Bartlett <abartlet at samba.org>

> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote:
> > Hi everyone,
> >
> > I have a question about certificates generated on Samba AD/DC
> > deployment.
> > After all server configuration, I notice that there are ca.pem,
> > cert.pem
> > and key.pem on /usr/local/samba/private/tls directory. I realize the
> > ca.pem
> > and cert.pem have 2 years validity. Will Samba AD/DC generate
> > automatically
> > new certs before this time over? Or, must I have to generate them
> > manually?
> No, they will need be automatically renewed.
> So yes, you need to generate them manually.
> The original intention was that the certificates be replaced by the
> administrator.
> However, I think we would accept patches to extend the initial validity
> on the autogenerated certificates, given that replacement almost never
> happens.  This makes more sense then to renew them, as that would break
> software which has the current certificate manually accepted, and
> potentially break a manually installed certificate.
> Andrew Bartlett
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba

More information about the samba mailing list