[Samba] DCs: TLS question
Robert Marcano
robert at marcanoonline.com
Tue Jan 7 12:41:34 UTC 2025
On 1/7/25 6:34 AM, Stefan G. Weichinger via samba wrote:
>
> In a samba-domain at a customer we use the AD-DCs for authenticating
> VPN-users.
>
> I export the ca.pem and cert.pem from /var/lib/samba/private/tls and
> import them in the pfSense we use as VPN gateway.
>
> When the certs are close to expiry I rm the files from that directory
> and let samba recreate all 3 files (CA, key, cert)
>
> Is there a more elegant way of doing that renewal?
>
> IMO the CA could live longer, right?
>
> I assume this leads to openssl-fiddling, rm-ing is somewhat easier to
> do ;-)
>
> Maybe only rm the cert/key pair?
>
> Any tips welcome.
>
You could run your own CA authority. There are many alternative for
large deployments (I use dogtag embbeded on FreeIPA), but for smaller
ones you could do it with local GUIs like XCA (1)
(1) https://www.hohnstaedt.de/xca/
You can create anew CA for 20 years for example, and renew your Samba
certificates every year or the period you like. You just replace the
samba CA certificate and key files with one generated by your CA.
More information about the samba
mailing list