[Samba] DCs: Samba CA

Stefan G. Weichinger lists at xunil.at
Wed May 12 14:15:17 UTC 2021

At a few customers I run OpenVPN with authentication against the Samba 
DCs, the OpenVPN-server runs on a pfsense appliance.

To run this encrypted I had to export the Samba CAs and import them on 
the pfsense machine.

Now these CAs are only valid for about two months anymore and I plan to 
renew them on the pfsense.

As far as documented(=remember ;-)) I took them from

# ls -l /var/lib/samba/private/tls

insgesamt 12

-rw-r--r-- 1 root root 2074 Aug 29  2019 ca.pem

-rw-r--r-- 1 root root 2078 Aug 29  2019 cert.pem

-rw------- 1 root root 3243 Aug 29  2019 key.pem

As you can see the files in there are ~1.5 yrs old.

My questions:

Does Samba somehow renew them? If yes, how and when? Can I manually 
trigger that?

I wrote in a posting:

"imported the samba-AD-CA (ca.pem) as additional CA into pfsense"

Is that correct or do I have to build some chained.pem or something?

More information about the samba mailing list