LDAPS connection without CA
-
Hi.
I've a locally implemented Samba AD setup, and I'm configuring LDAP auth in pfSense 2.5.1.
As default generated Samba certificates are valid for 700 days, I'm creating my custom certs with openssl, but without a CA.This is what my Samba config looks like:
tls enabled = yes tls keyfile = tls/HOSTNAME.key tls certfile = tls/HOSTNAME.cert tls cafile =From what I've learned, pfSense requires the CA cert for LDAPS connection. How can I deal with this situation, where the cert hasn't been signed by a CA?
Thanks -
@maxxer just use pfsense to generate the cert and copy/paste the whole chain to you samba server
-
@heper thanks, indeed that could work, but it's making the things from down up. I'd rather find a solution using my own certs/setup
-
@maxxer well it's up to you if you want to make things more difficult then they have to be
enjoy
-
@heper I simply don't want to depend on pfSense to deploy a certificate in Samba or whatever other service
-
@maxxer well that's up to you.
you can setup a CA on any other device, that is not pfsense, to depend upon for your certificate chain then
-
How can pfSense authenticate the server if it doesn't have a CA cert to authenticate it against?
-
What puzzles me, I'm creating a CA following this guide, but pfSense says the cert created is not for a CA but for a simple cert.
The command is:
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem -
@maxxer you did import your created CA on your pfsense device right ?
-
@heper said in LDAPS connection without CA:
@maxxer you did import your created CA on your pfsense device right ?
Yes, when I import in pfSense CA it says:
The submitted certificate does not appear to be a Certificate Authority, import it on the Certificates tab instead.
-
@maxxer then you are doing something wrong ....
i followed ur guide to create the CA & copy/pasted it to one of my pfsense devices and it imported just fine.
it doesn't like the privatekey because pfsense doesn't seem to like encrypted privatekeys. (lose the -des3)
-
@heper thanks for testing. Shame on me, I was running the commands on macOS and not on Linux. Trying on the latter worked, indeed! Damn mac, how much wasted time on this!! Thanks again
