[Samba] Question about certificates on Samba AD/DC

Mon Jun 15 11:49:17 UTC 2020

Gabben,

I got what you said. Then, could I use a commercial CA to sign my DC certs?
Is there any security issue if I do it? I ask it because I've seen that
WPA2-Enterprise has a security issue on Android devices, specifically early
versions until Android 7, that do not allow configure verification of
expected server name in the User Interface.

--
Igor Sousa

Em dom., 14 de jun. de 2020 às 17:28, gabben <gabbenx at gmail.com> escreveu:

> Hi Igor,
>
> You certainly don’t want a different CA for each DC, and you typically do
> want an individually generated certificate and private key for each server.
>
> PKI is typically a tree hierarchy, which is a critical feature in the
> trust relationships across any environment. You want one (root) CA, and
> possibly 1-3 intermediate CAs depending on the complexity of your
> infrastructure ( intermediate CA certificates are capable of signing host
> specific certs.). Each DC, (and each web server, application server you
> deploy with SSL/TLS protected services) needs to present its own server
> certificate (+ the full chain of certs used to sign its server cert) to
> clients so that clients can check validity of the server cert for
> themselves (based on the trusted certs in the client CA trust store).
>
> Then the root and the intermediate certificate authority (CA) certs get
> pushed in the the root trust storage facility on every  host OS in your
> environment, so that they all trust a certificate presented by any server
> that they connect to which has a cert signed by your CA infrastructure.
>
> The level of complexity you need to engage in depends on the size and
> needs of your environment. If you have simple needs in a smaller
> environment, take a look at OpenVPN project’s “easy-rsa”
>
> Good luck.
>
>
> > On Jun 14, 2020, at 1:15 PM, Igor Sousa via samba <samba at lists.samba.org>
> wrote:
> >
> > Thanks Gabben and Andrew. I've understood but a new question emerged:
> Each
> > DC server on my domain has a different pair cert/key and a different CA
> > cert after deployment, correct?
> >
> > If so, is it a best practice to generate new cert for each DC server and
> > sign them with a unique CA? OBS: Every DC servers belongs to the same
> > domain.
> >
> > --
> > Igor Sousa
> >
> >
> > Em dom., 14 de jun. de 2020 às 16:46, Andrew Bartlett <
> abartlet at samba.org>
> > escreveu:
> >
> >> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote:
> >>> Hi everyone,
> >>>
> >>> I have a question about certificates generated on Samba AD/DC
> >>> deployment.
> >>> After all server configuration, I notice that there are ca.pem,
> >>> cert.pem
> >>> and key.pem on /usr/local/samba/private/tls directory. I realize the
> >>> ca.pem
> >>> and cert.pem have 2 years validity. Will Samba AD/DC generate
> >>> automatically
> >>> new certs before this time over? Or, must I have to generate them
> >>> manually?
> >>
> >> No, they will need be automatically renewed.
> >>
> >> So yes, you need to generate them manually.
> >>
> >> The original intention was that the certificates be replaced by the
> >> administrator.
> >>
> >> However, I think we would accept patches to extend the initial validity
> >> on the autogenerated certificates, given that replacement almost never
> >> happens.  This makes more sense then to renew them, as that would break
> >> software which has the current certificate manually accepted, and
> >> potentially break a manually installed certificate.
> >>
> >> Andrew Bartlett
> >>
> >> --
> >> Andrew Bartlett                       https://samba.org/~abartlet/
> >> Authentication Developer, Samba Team  https://samba.org
> >> Samba Developer, Catalyst IT
> >> https://catalyst.net.nz/services/samba
> >>
> >>
> >>
> >>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>