通过 Samba4 DC 自动签名 CA.pem 签署 OpenVPN 服务器和客户端证书

馊主意：

1. 我的 samba ( Version 4.1.21-SerNet-RedHat-11.el7) ca.pem 只有一年的有效期。
2. 没有 CA 私钥。ca.pem- 是 CA 证书，cert.pem是 AD 的证书，key.pem是 AD 的密钥，
3. 较短的 CA 证书长度 (1024b) - OpenVPN 开发人员推荐的最小值为 2048b。

解决方案？向后做 - 使用 EasyRSA (3.0!) 并为 samba 的 AD 重新生成密钥。

请问你怎么知道这里的 ca.pem 只是证书？

简单的：

RFC 的 1421 pem x509 证书文件仅包含以下行：

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

RFC 的 1421 pem x509 密钥：

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

那么它与我从easyRSA获得的crt文件完全相同（当然还有另一个公钥）？在这种情况下，为什么将其命名为 .pem？

不，samba 使用（源什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？）：

.pem 在 RFC 的 1421 到 1424 中定义，这是一种容器格式，可能仅包括公共证书（例如 Apache 安装和 CA 证书文件 /etc/ssl/certs），或者可能包括包括公共密钥在内的整个证书链、私钥和根证书。令人困惑的是，它也可能对 CSR 进行编码（例如，此处使用的），因为 PKCS10 格式可以转换为 PEM。该名称来自隐私增强邮件 (PEM)，这是一种失败的安全电子邮件方法，但它使用的容器格式仍然存在，并且是 x509 ASN.1 密钥的 base64 转换。

使用 Easy RSA 您将生成（源什么是 Pem 文件以及它与其他 OpenSSL 生成的密钥文件格式有何不同？）：

.cert .cer .crt 具有不同扩展名的 .pem（或很少是 .der）格式的文件，Windows Explorer 将其识别为证书，而 .pem 则不是。

但是您可以通过以下方式使用 OpenSSL 对其进行转换：

openssl x509 -inform der -in certificate.cer -out certificate.pem

所以 cert .cer .crt .pem（或很少是 .der）格式看起来像：

user@linux:~/keys$ cat cert.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 74 (0x4a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XX, ST=XXXX, L=XXXXXXX, O=xxxxxxx.xx, OU=xxxx.xxxxxxxx.xx, CN=xxxxxxx.xx CA/name=EasyRSA/[email protected]
        Validity
            Not Before: Oct  3 15:20:43 2014 GMT
            Not After : Sep 30 15:20:43 2024 GMT
        Subject: C=xx, ST=xxxxxx, L=xxxxxx, O=xxxxxxx.xx, OU=xxx.xxxxxxxx.xx, CN=xxxxx-xxx-gorzow/name=EasyRSA/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a2:08:2c:27:64:23:33:a1:19:70:ec:63:bc:0f:
                    90:20:99:ae:c5:54:43:d4:79:5b:ea:cc:a2:98:36:
                    05:e7:8f:4c:a6:2f:a6:4c:47:fd:e5:fd:84:25:1f:
                    f1:97:d9:bd:a8:90:e4:b1:af:91:2c:97:c6:0f:7d:
                    c8:89:06:d2:95:de:92:7d:b6:23:cf:fb:ee:e1:ba:
                    b1:25:9f:19:33:e5:71:7a:50:49:7c:4b:f9:bb:ca:
                    11:40:98:d0:a8:a3:be:07:f2:75:c6:87:8e:8e:32:
                    6b:ec:10:d0:54:d0:2a:48:b9:14:25:1f:9c:fe:83:
                    4e:72:96:4f:09:ac:51:5e:42:6c:f4:6e:c4:fd:a1:
                    d5:a0:44:f0:a6:42:48:ba:47:29:6e:8b:7e:fc:d0:
                    01:0f:58:67:ce:a1:f7:13:5c:5c:bf:ba:9f:77:68:
                    6e:40:83:d5:b3:61:44:be:f0:df:84:92:cd:00:39:
                    9b:e9:1f:b2:6c:3b:e5:3d:12:e2:f7:6d:83:34:09:
                    e9:49:68:7a:1a:2d:22:ae:05:23:55:ad:8c:bb:4c:
                    7e:87:96:3b:a5:66:64:10:09:cf:32:19:eb:e0:b4:
                    3d:17:91:43:2e:f3:5f:39:d8:6a:83:a8:7d:4a:7a:
                    7b:9f:37:77:ed:ba:58:98:17:ae:18:df:42:f4:c9:
                    d3:82:bc:9f:f8:33:b6:d8:54:0b:7b:1d:4c:0a:b2:
                    f4:88:7b:8d:1f:f3:15:2d:45:3b:c0:c1:11:66:e2:
                    64:28:e4:38:dc:00:1a:f6:38:64:43:d6:ad:d5:19:
                    34:13:98:38:b8:a9:e7:21:41:57:d3:44:80:dc:91:
                    c6:66:b3:88:ba:06:ad:42:b0:77:b0:8b:79:38:94:
                    11:b4:fa:7a:3f:3b:49:4d:00:e1:8c:79:49:8f:13:
                    ef:b4:d8:05:0a:be:04:38:6a:40:6b:66:98:e3:2e:
                    ea:9a:85:67:b2:c3:a2:df:7d:99:5d:1e:13:f8:f1:
                    53:31:99:bd:32:5d:f8:44:d0:b0:6b:2a:94:80:c9:
                    81:75:90:d4:71:31:aa:cc:6a:32:3d:eb:36:74:15:
                    c7:9c:42:5b:2d:d0:6a:c0:f4:2e:1a:bb:da:e8:46:
                    f5:96:04:7c:ed:67:bf:c2:8b:1d:46:a3:e6:77:62:
                    ec:6b:cb:75:63:a9:6d:ff:71:1e:5b:97:1d:1c:66:
                    89:41:5a:a0:bc:c6:47:35:db:48:e7:9f:d5:d0:cb:
                    a6:0c:93:a3:86:c4:c9:e9:4a:37:59:ed:4b:3e:2e:
                    c1:8b:f7:86:19:53:8a:7c:d3:ae:ce:ef:e6:30:44:
                    1f:1d:89:63:65:0a:6d:43:46:8a:6c:4f:92:a2:9a:
                    ff:1d:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                87:13:F1:54:F1:C8:FD:E0:92:C5:DF:38:1C:40:BC:E6:A3:4D:BE:78
            X509v3 Authority Key Identifier: 
                keyid:24:54:C7:C9:16:D8:F6:40:86:E8:04:5D:FA:24:FE:B6:13:D8:E9:0B
                DirName:/C=xx/ST=xxxxx/L=xxxxxx/O=xxxx.xx/OU=xxxx.xxxxxx.xx/CN=xxxxxx.xx CA/name=EasyRSA/[email protected]                serial:D6:66:FB:08:85:0B:15:74

        X509v3 Extended Key Usage: 
            TLS Web Client Authentication
        X509v3 Key Usage: 
            Digital Signature
Signature Algorithm: sha256WithRSAEncryption
     a8:cc:68:69:37:fa:36:36:44:f7:c3:da:9e:81:a9:20:26:58:
     1c:51:8e:b8:d9:df:c7:45:1d:95:0c:0e:bd:65:24:9b:40:26:
     4c:97:3a:e1:10:34:98:cd:bc:52:18:02:25:81:b2:b8:18:39:
     a8:8a:d5:6e:b5:d2:8a:be:53:a2:96:d6:42:af:80:a5:5d:73:
     04:6e:bb:ac:8a:0a:ba:ed:32:ff:37:0f:67:2d:75:b6:35:df:
     e9:08:aa:c0:66:64:6f:ad:b4:c0:fb:21:a6:ce:f3:69:8f:75:
     13:62:ce:80:59:1f:63:4e:e7:e4:97:3c:a6:9c:7a:3c:cd:8e:
     61:32:a9:6d:1c:c6:ce:83:71:3c:2b:6a:93:eb:fd:ea:03:9c:
     93:8a:bb:87:8f:0d:33:19:96:1a:9b:ce:05:e3:ef:97:c1:80:
     e0:26:86:d5:64:1e:da:d0:89:09:7b:3f:2c:d1:78:3f:6c:c3:
     8a:f2:da:e1:c8:ac:42:e4:69:b2:8a:00:71:dc:26:2e:fc:0b:
     14:de:ea:3d:aa:42:4e:32:43:d2:4b:49:21:26:94:d9:98:c9:
     18:6a:24:2f:49:95:9e:31:17:88:4b:f6:5b:34:61:ea:cf:6d:
     6c:06:bf:aa:f4:65:1d:0f:bd:2c:b5:5b:21:0f:19:72:a3:54:
     02:d1:99:d3:d6:36:cd:97:5b:ff:06:5b:dd:9c:bc:57:ba:1a:
     2e:3b:7a:11:c9:a8:7d:3b:99:28:21:dc:0f:cf:00:65:ef:f8:
     ad:73:5d:30:c6:ff:a7:07:b3:71:2b:7d:75:f0:84:3e:f0:69:
     36:0f:ac:8d:f1:a7:56:fe:73:40:e7:03:6d:a8:70:01:dd:1a:
     1c:eb:cd:4a:d5:34:c4:85:38:b4:72:1b:fd:69:2f:31:32:4c:
     7f:c1:dd:76:85:69:9c:8c:7b:29:33:0e:29:3d:4e:ad:00:96:
     dc:31:b2:be:55:09:37:53:77:53:20:5e:19:cd:b8:5e:00:f9:
     62:77:75:b0:4d:7f:f2:b5:b4:a2:d9:9b:17:66:c9:42:4e:cf:
     c3:4a:d5:75:98:55:e3:bd:d7:13:02:5f:a5:e8:bb:d4:db:4f:
     44:73:e5:42:1d:7f:bc:20:65:56:99:38:0b:2c:36:82:19:31:
     d8:7a:30:e5:83:08:a2:18:2e:7c:06:30:81:34:e4:c8:03:24:
     9e:db:f9:df:9f:aa:99:19:7a:4e:3d:7f:ee:c2:a3:fc:b4:9f:
     fb:ea:ab:a3:f2:aa:6f:e4:c9:ec:98:bb:d1:69:ef:6a:34:b2:
     5a:9d:d3:96:0e:14:80:ed:29:ee:0c:1b:2f:f9:1c:41:a1:ad:
     8c:1c:20:81:1c:9e:08:56

-----BEGIN CERTIFICATE-----
MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx
EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z
b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV
BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG
9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0
MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw
DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE
CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6
b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv
bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj
M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R
LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO
jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB
D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6
Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY
mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk
Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ
jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB
dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1
Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK
fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU
JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD
VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv
d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz
b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB
FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE
98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV
brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z
aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW
GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q
PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z
cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez
cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd
doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ
Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu
fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T
lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY=
-----END CERTIFICATE-----

和 RFC 1421 中定义的 pem

user@linux:~/keys$ cat cert.pem 

-----BEGIN CERTIFICATE-----
MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx
EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z
b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV
BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG
9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0
MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw
DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE
CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6
b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv
bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj
M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R
LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO
jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB
D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6
Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY
mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk
Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ
jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB
dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1
Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK
fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU
JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD
VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv
d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz
b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB
FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE
98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV
brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z
aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW
GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q
PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z
cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez
cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd
doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ
Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu
fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T
lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY=
-----END CERTIFICATE-----

您如何看待我所说的关于 OpenVPN 的内容（它不起作用，我读到我需要使用相同的证书签名），您认为这会有所帮助吗？

我完全怀念这种感觉。我不知道你读了什么，你在说什么签名。

我怎么知道我的 pem 文件是只包含证书还是同时包含证书和私钥？

我从来没有见过 RFC 的 1421 pem 证书里面有钥匙（或整个钥匙串），但我相信它看起来像：

user@linux:~/keys$ cat cert-with-key.pem
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
user@linux:~/keys$

我的意思是一个文件，其中包含我隐藏的加密数据。我总是有两个文件，一个用于私钥，一个用于公钥。