Assinatura de certificados de servidor e clientes OpenVPN pelo Samba4 DC auto-assinado CA.pem

Question

Assinatura de certificados de servidor e clientes OpenVPN pelo Samba4 DC auto-assinado CA.pem

#1 resposta do (2 votos)

1

Instalei o Samba4 e configurei-o como controlador de domínio, e ele gerou automaticamente o ca.pem, cert.pem, key.pem.

E agora eu quero usar a mesma CA do samba para assinar os novos certificados (talvez gerados pelo easyRSA ou pelo OpenSSL).

Alguém pode me orientar como fazer isso (usando o easyRSA ou o OpenSSL)?

A principal dificuldade é que eu tenho apenas arquivos pem do samba (não arquivos crt e key), portanto, não tenho certeza de como posso fazer o que eu quero.

Uma pergunta relacionada: como posso saber se meu arquivo pem inclui apenas o certificado ou o certificado e a chave privada também? (esse ponto é importante para entender minha pergunta principal, como eu acho). E, caso ele possua tanto o certificado quanto a chave privada, como posso separá-los apenas para usá-los convenientemente como arquivos crt e key?

O que eu pretendo fazer é realmente usar o Samba4 AD DC para autenticar o OpenVPN usando starttls, mas por alguma razão o openvpn não aceita isso e acho que o problema é por causa da assinatura diferente para os certificados do servidor. Qualquer ajuda é muito apreciada.

ssl openssl openvpn samba4 certificate

por Mohammed Noureldin 24.06.2016 / 15:52

1 resposta

Tags ssl openssl openvpn samba4 certificate

Protegendo o correio de administradores - Office 365 Qual é a maneira mais fácil ou preferida de implementar no Wildfly sem tempo de inatividade?

score 2 · Accepted Answer

Má ideia:

Meu samba ( Version 4.1.21-SerNet-RedHat-11.el7 ) ca.pem tem apenas um ano de validade.
Não há chave privada da CA. ca.pem - é o certificado de CA, cert.pem é o certificado do AD e key.pem é a chave do AD,
Comprimento curto do certificado de CA (1024b) - o mínimo recomendado pelos desenvolvedores do OpenVPN é 2048b.

Solução? Faça isso de trás para frente - use o EasyRSA (3.0!) E regererate keys para o AD do samba.

may I ask you how did you know that ca.pem here is just the certificate?

Simples:

O arquivo de certificado 1421 pem x509 da RFC contém apenas linhas como:

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

Chave x509 de 1421 pem da RFC:

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

so is it exactly the same as crt file which I will get from easyRSA (of course with another public key)? and in this case why is it .pem named?

Não, o samba usa (fonte O que é um arquivo Pem e como ele difere de outros formatos de arquivo de chave gerados do OpenSSL? ):

.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.

Usando o Easy RSA, você gerará (fonte O que é um arquivo Pem e como ele difere de outros formatos de arquivo de chave gerados do OpenSSL? ):

.cert .cer .crt A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

Mas você pode convertê-lo usando o OpenSSL por:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Portanto, o formato cert .cer .crt A .pem (ou raramente .der) se parece com:

user@linux:~/keys$ cat cert.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 74 (0x4a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XX, ST=XXXX, L=XXXXXXX, O=xxxxxxx.xx, OU=xxxx.xxxxxxxx.xx, CN=xxxxxxx.xx CA/name=EasyRSA/[email protected]
        Validity
            Not Before: Oct  3 15:20:43 2014 GMT
            Not After : Sep 30 15:20:43 2024 GMT
        Subject: C=xx, ST=xxxxxx, L=xxxxxx, O=xxxxxxx.xx, OU=xxx.xxxxxxxx.xx, CN=xxxxx-xxx-gorzow/name=EasyRSA/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a2:08:2c:27:64:23:33:a1:19:70:ec:63:bc:0f:
                    90:20:99:ae:c5:54:43:d4:79:5b:ea:cc:a2:98:36:
                    05:e7:8f:4c:a6:2f:a6:4c:47:fd:e5:fd:84:25:1f:
                    f1:97:d9:bd:a8:90:e4:b1:af:91:2c:97:c6:0f:7d:
                    c8:89:06:d2:95:de:92:7d:b6:23:cf:fb:ee:e1:ba:
                    b1:25:9f:19:33:e5:71:7a:50:49:7c:4b:f9:bb:ca:
                    11:40:98:d0:a8:a3:be:07:f2:75:c6:87:8e:8e:32:
                    6b:ec:10:d0:54:d0:2a:48:b9:14:25:1f:9c:fe:83:
                    4e:72:96:4f:09:ac:51:5e:42:6c:f4:6e:c4:fd:a1:
                    d5:a0:44:f0:a6:42:48:ba:47:29:6e:8b:7e:fc:d0:
                    01:0f:58:67:ce:a1:f7:13:5c:5c:bf:ba:9f:77:68:
                    6e:40:83:d5:b3:61:44:be:f0:df:84:92:cd:00:39:
                    9b:e9:1f:b2:6c:3b:e5:3d:12:e2:f7:6d:83:34:09:
                    e9:49:68:7a:1a:2d:22:ae:05:23:55:ad:8c:bb:4c:
                    7e:87:96:3b:a5:66:64:10:09:cf:32:19:eb:e0:b4:
                    3d:17:91:43:2e:f3:5f:39:d8:6a:83:a8:7d:4a:7a:
                    7b:9f:37:77:ed:ba:58:98:17:ae:18:df:42:f4:c9:
                    d3:82:bc:9f:f8:33:b6:d8:54:0b:7b:1d:4c:0a:b2:
                    f4:88:7b:8d:1f:f3:15:2d:45:3b:c0:c1:11:66:e2:
                    64:28:e4:38:dc:00:1a:f6:38:64:43:d6:ad:d5:19:
                    34:13:98:38:b8:a9:e7:21:41:57:d3:44:80:dc:91:
                    c6:66:b3:88:ba:06:ad:42:b0:77:b0:8b:79:38:94:
                    11:b4:fa:7a:3f:3b:49:4d:00:e1:8c:79:49:8f:13:
                    ef:b4:d8:05:0a:be:04:38:6a:40:6b:66:98:e3:2e:
                    ea:9a:85:67:b2:c3:a2:df:7d:99:5d:1e:13:f8:f1:
                    53:31:99:bd:32:5d:f8:44:d0:b0:6b:2a:94:80:c9:
                    81:75:90:d4:71:31:aa:cc:6a:32:3d:eb:36:74:15:
                    c7:9c:42:5b:2d:d0:6a:c0:f4:2e:1a:bb:da:e8:46:
                    f5:96:04:7c:ed:67:bf:c2:8b:1d:46:a3:e6:77:62:
                    ec:6b:cb:75:63:a9:6d:ff:71:1e:5b:97:1d:1c:66:
                    89:41:5a:a0:bc:c6:47:35:db:48:e7:9f:d5:d0:cb:
                    a6:0c:93:a3:86:c4:c9:e9:4a:37:59:ed:4b:3e:2e:
                    c1:8b:f7:86:19:53:8a:7c:d3:ae:ce:ef:e6:30:44:
                    1f:1d:89:63:65:0a:6d:43:46:8a:6c:4f:92:a2:9a:
                    ff:1d:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                87:13:F1:54:F1:C8:FD:E0:92:C5:DF:38:1C:40:BC:E6:A3:4D:BE:78
            X509v3 Authority Key Identifier: 
                keyid:24:54:C7:C9:16:D8:F6:40:86:E8:04:5D:FA:24:FE:B6:13:D8:E9:0B
                DirName:/C=xx/ST=xxxxx/L=xxxxxx/O=xxxx.xx/OU=xxxx.xxxxxx.xx/CN=xxxxxx.xx CA/name=EasyRSA/[email protected]                serial:D6:66:FB:08:85:0B:15:74

        X509v3 Extended Key Usage: 
            TLS Web Client Authentication
        X509v3 Key Usage: 
            Digital Signature
Signature Algorithm: sha256WithRSAEncryption
     a8:cc:68:69:37:fa:36:36:44:f7:c3:da:9e:81:a9:20:26:58:
     1c:51:8e:b8:d9:df:c7:45:1d:95:0c:0e:bd:65:24:9b:40:26:
     4c:97:3a:e1:10:34:98:cd:bc:52:18:02:25:81:b2:b8:18:39:
     a8:8a:d5:6e:b5:d2:8a:be:53:a2:96:d6:42:af:80:a5:5d:73:
     04:6e:bb:ac:8a:0a:ba:ed:32:ff:37:0f:67:2d:75:b6:35:df:
     e9:08:aa:c0:66:64:6f:ad:b4:c0:fb:21:a6:ce:f3:69:8f:75:
     13:62:ce:80:59:1f:63:4e:e7:e4:97:3c:a6:9c:7a:3c:cd:8e:
     61:32:a9:6d:1c:c6:ce:83:71:3c:2b:6a:93:eb:fd:ea:03:9c:
     93:8a:bb:87:8f:0d:33:19:96:1a:9b:ce:05:e3:ef:97:c1:80:
     e0:26:86:d5:64:1e:da:d0:89:09:7b:3f:2c:d1:78:3f:6c:c3:
     8a:f2:da:e1:c8:ac:42:e4:69:b2:8a:00:71:dc:26:2e:fc:0b:
     14:de:ea:3d:aa:42:4e:32:43:d2:4b:49:21:26:94:d9:98:c9:
     18:6a:24:2f:49:95:9e:31:17:88:4b:f6:5b:34:61:ea:cf:6d:
     6c:06:bf:aa:f4:65:1d:0f:bd:2c:b5:5b:21:0f:19:72:a3:54:
     02:d1:99:d3:d6:36:cd:97:5b:ff:06:5b:dd:9c:bc:57:ba:1a:
     2e:3b:7a:11:c9:a8:7d:3b:99:28:21:dc:0f:cf:00:65:ef:f8:
     ad:73:5d:30:c6:ff:a7:07:b3:71:2b:7d:75:f0:84:3e:f0:69:
     36:0f:ac:8d:f1:a7:56:fe:73:40:e7:03:6d:a8:70:01:dd:1a:
     1c:eb:cd:4a:d5:34:c4:85:38:b4:72:1b:fd:69:2f:31:32:4c:
     7f:c1:dd:76:85:69:9c:8c:7b:29:33:0e:29:3d:4e:ad:00:96:
     dc:31:b2:be:55:09:37:53:77:53:20:5e:19:cd:b8:5e:00:f9:
     62:77:75:b0:4d:7f:f2:b5:b4:a2:d9:9b:17:66:c9:42:4e:cf:
     c3:4a:d5:75:98:55:e3:bd:d7:13:02:5f:a5:e8:bb:d4:db:4f:
     44:73:e5:42:1d:7f:bc:20:65:56:99:38:0b:2c:36:82:19:31:
     d8:7a:30:e5:83:08:a2:18:2e:7c:06:30:81:34:e4:c8:03:24:
     9e:db:f9:df:9f:aa:99:19:7a:4e:3d:7f:ee:c2:a3:fc:b4:9f:
     fb:ea:ab:a3:f2:aa:6f:e4:c9:ec:98:bb:d1:69:ef:6a:34:b2:
     5a:9d:d3:96:0e:14:80:ed:29:ee:0c:1b:2f:f9:1c:41:a1:ad:
     8c:1c:20:81:1c:9e:08:56

-----BEGIN CERTIFICATE-----
MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx
EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z
b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV
BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG
9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0
MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw
DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE
CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6
b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv
bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj
M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R
LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO
jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB
D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6
Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY
mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk
Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ
jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB
dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1
Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK
fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU
JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD
VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv
d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz
b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB
FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE
98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV
brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z
aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW
GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q
PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z
cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez
cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd
doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ
Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu
fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T
lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY=
-----END CERTIFICATE-----

E pem definido na RFC 1421

user@linux:~/keys$ cat cert.pem 

-----BEGIN CERTIFICATE-----
MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx
EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z
b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV
BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG
9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0
MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw
DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE
CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6
b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv
bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj
M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R
LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO
jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB
D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6
Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY
mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk
Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ
jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB
dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1
Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK
fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU
JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD
VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv
d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz
b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB
FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE
98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV
brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z
aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW
GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q
PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z
cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez
cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd
doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ
Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu
fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T
lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY=
-----END CERTIFICATE-----

What do you think about what I said about the OpenVPN (it doesn't work and I read that I need to use the same certs signiture), do you think that will help?

Eu completamente sinto falta disso. Eu não sei o que você leu e de que assinatura você está falando.

how can I know if my pem file includes just the certificate or both the certificate and the private key as well?

Eu nunca vi o certificado Pfe 1421 da RFC com chave dentro (ou com chaveiro inteiro), mas acredito que se parecerá com:

user@linux:~/keys$ cat cert-with-key.pem
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
user@linux:~/keys$

Quero dizer, um arquivo que contém essas linhas com dados criptográficos ocultos por mim. Eu tenho sempre dois arquivos, um para a chave privada e outro com o público.