[Samba] Question about certificates on Samba AD/DC
Andrew Bartlett
abartlet at samba.org
Sun Jun 14 21:04:32 UTC 2020
That would make a lot of sense.
Andrew Bartlett
On Sun, 2020-06-14 at 17:15 -0300, Igor Sousa wrote:
> Thanks Gabben and Andrew. I've understood but a new question emerged:
> Each DC server on my domain has a different pair cert/key and a
> different CA cert after deployment, correct?
>
> If so, is it a best practice to generate new cert for each DC server
> and sign them with a unique CA? OBS: Every DC servers belongs to the
> same domain.
>
> --
> Igor Sousa
>
>
> Em dom., 14 de jun. de 2020 às 16:46, Andrew Bartlett <
> abartlet at samba.org> escreveu:
> > On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote:
> > > Hi everyone,
> > >
> > > I have a question about certificates generated on Samba AD/DC
> > > deployment.
> > > After all server configuration, I notice that there are ca.pem,
> > > cert.pem
> > > and key.pem on /usr/local/samba/private/tls directory. I realize
> > the
> > > ca.pem
> > > and cert.pem have 2 years validity. Will Samba AD/DC generate
> > > automatically
> > > new certs before this time over? Or, must I have to generate them
> > > manually?
> >
> > No, they will need be automatically renewed.
> >
> > So yes, you need to generate them manually.
> >
> > The original intention was that the certificates be replaced by the
> > administrator.
> >
> > However, I think we would accept patches to extend the initial
> > validity
> > on the autogenerated certificates, given that replacement almost
> > never
> > happens. This makes more sense then to renew them, as that would
> > break
> > software which has the current certificate manually accepted, and
> > potentially break a manually installed certificate.
> >
> > Andrew Bartlett
> >
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list