Signing OpenVPN server and clients certificates by Samba4 DC auto-signed CA.pem

Bad idea:

1. My samba's (Version 4.1.21-SerNet-RedHat-11.el7) ca.pem has only year of validity.
2. There's no CA private key. ca.pem - is CA certificate, cert.pem is AD's certificate and key.pem is AD's key,
3. Short CA cert length (1024b) - minimum recommended by OpenVPN developers is 2048b.

Solution? Do it backwards - use EasyRSA (3.0!) and regererate keys for samba's AD.

may I ask you how did you know that ca.pem here is just the certificate?

Simple:

RFC's 1421 pem x509 certificate file contains only lines like:

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

RFC's 1421 pem x509 key:

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

so is it exactly the same as crt file which I will get from easyRSA (of course with another public key)? and in this case why is it .pem named?

No, samba uses (source What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?):

.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.

Using Easy RSA you will generate (source What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?):

.cert .cer .crt A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

But you can convert it using OpenSSL by:

openssl x509 -inform der -in certificate.cer -out certificate.pem

So cert .cer .crt A .pem (or rarely .der) format looks like:

user@linux:~/keys$ cat cert.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 74 (0x4a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XX, ST=XXXX, L=XXXXXXX, O=xxxxxxx.xx, OU=xxxx.xxxxxxxx.xx, CN=xxxxxxx.xx CA/name=EasyRSA/[email protected]
        Validity
            Not Before: Oct  3 15:20:43 2014 GMT
            Not After : Sep 30 15:20:43 2024 GMT
        Subject: C=xx, ST=xxxxxx, L=xxxxxx, O=xxxxxxx.xx, OU=xxx.xxxxxxxx.xx, CN=xxxxx-xxx-gorzow/name=EasyRSA/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a2:08:2c:27:64:23:33:a1:19:70:ec:63:bc:0f:
                    90:20:99:ae:c5:54:43:d4:79:5b:ea:cc:a2:98:36:
                    05:e7:8f:4c:a6:2f:a6:4c:47:fd:e5:fd:84:25:1f:
                    f1:97:d9:bd:a8:90:e4:b1:af:91:2c:97:c6:0f:7d:
                    c8:89:06:d2:95:de:92:7d:b6:23:cf:fb:ee:e1:ba:
                    b1:25:9f:19:33:e5:71:7a:50:49:7c:4b:f9:bb:ca:
                    11:40:98:d0:a8:a3:be:07:f2:75:c6:87:8e:8e:32:
                    6b:ec:10:d0:54:d0:2a:48:b9:14:25:1f:9c:fe:83:
                    4e:72:96:4f:09:ac:51:5e:42:6c:f4:6e:c4:fd:a1:
                    d5:a0:44:f0:a6:42:48:ba:47:29:6e:8b:7e:fc:d0:
                    01:0f:58:67:ce:a1:f7:13:5c:5c:bf:ba:9f:77:68:
                    6e:40:83:d5:b3:61:44:be:f0:df:84:92:cd:00:39:
                    9b:e9:1f:b2:6c:3b:e5:3d:12:e2:f7:6d:83:34:09:
                    e9:49:68:7a:1a:2d:22:ae:05:23:55:ad:8c:bb:4c:
                    7e:87:96:3b:a5:66:64:10:09:cf:32:19:eb:e0:b4:
                    3d:17:91:43:2e:f3:5f:39:d8:6a:83:a8:7d:4a:7a:
                    7b:9f:37:77:ed:ba:58:98:17:ae:18:df:42:f4:c9:
                    d3:82:bc:9f:f8:33:b6:d8:54:0b:7b:1d:4c:0a:b2:
                    f4:88:7b:8d:1f:f3:15:2d:45:3b:c0:c1:11:66:e2:
                    64:28:e4:38:dc:00:1a:f6:38:64:43:d6:ad:d5:19:
                    34:13:98:38:b8:a9:e7:21:41:57:d3:44:80:dc:91:
                    c6:66:b3:88:ba:06:ad:42:b0:77:b0:8b:79:38:94:
                    11:b4:fa:7a:3f:3b:49:4d:00:e1:8c:79:49:8f:13:
                    ef:b4:d8:05:0a:be:04:38:6a:40:6b:66:98:e3:2e:
                    ea:9a:85:67:b2:c3:a2:df:7d:99:5d:1e:13:f8:f1:
                    53:31:99:bd:32:5d:f8:44:d0:b0:6b:2a:94:80:c9:
                    81:75:90:d4:71:31:aa:cc:6a:32:3d:eb:36:74:15:
                    c7:9c:42:5b:2d:d0:6a:c0:f4:2e:1a:bb:da:e8:46:
                    f5:96:04:7c:ed:67:bf:c2:8b:1d:46:a3:e6:77:62:
                    ec:6b:cb:75:63:a9:6d:ff:71:1e:5b:97:1d:1c:66:
                    89:41:5a:a0:bc:c6:47:35:db:48:e7:9f:d5:d0:cb:
                    a6:0c:93:a3:86:c4:c9:e9:4a:37:59:ed:4b:3e:2e:
                    c1:8b:f7:86:19:53:8a:7c:d3:ae:ce:ef:e6:30:44:
                    1f:1d:89:63:65:0a:6d:43:46:8a:6c:4f:92:a2:9a:
                    ff:1d:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                87:13:F1:54:F1:C8:FD:E0:92:C5:DF:38:1C:40:BC:E6:A3:4D:BE:78
            X509v3 Authority Key Identifier: 
                keyid:24:54:C7:C9:16:D8:F6:40:86:E8:04:5D:FA:24:FE:B6:13:D8:E9:0B
                DirName:/C=xx/ST=xxxxx/L=xxxxxx/O=xxxx.xx/OU=xxxx.xxxxxx.xx/CN=xxxxxx.xx CA/name=EasyRSA/[email protected]                serial:D6:66:FB:08:85:0B:15:74

        X509v3 Extended Key Usage: 
            TLS Web Client Authentication
        X509v3 Key Usage: 
            Digital Signature
Signature Algorithm: sha256WithRSAEncryption
     a8:cc:68:69:37:fa:36:36:44:f7:c3:da:9e:81:a9:20:26:58:
     1c:51:8e:b8:d9:df:c7:45:1d:95:0c:0e:bd:65:24:9b:40:26:
     4c:97:3a:e1:10:34:98:cd:bc:52:18:02:25:81:b2:b8:18:39:
     a8:8a:d5:6e:b5:d2:8a:be:53:a2:96:d6:42:af:80:a5:5d:73:
     04:6e:bb:ac:8a:0a:ba:ed:32:ff:37:0f:67:2d:75:b6:35:df:
     e9:08:aa:c0:66:64:6f:ad:b4:c0:fb:21:a6:ce:f3:69:8f:75:
     13:62:ce:80:59:1f:63:4e:e7:e4:97:3c:a6:9c:7a:3c:cd:8e:
     61:32:a9:6d:1c:c6:ce:83:71:3c:2b:6a:93:eb:fd:ea:03:9c:
     93:8a:bb:87:8f:0d:33:19:96:1a:9b:ce:05:e3:ef:97:c1:80:
     e0:26:86:d5:64:1e:da:d0:89:09:7b:3f:2c:d1:78:3f:6c:c3:
     8a:f2:da:e1:c8:ac:42:e4:69:b2:8a:00:71:dc:26:2e:fc:0b:
     14:de:ea:3d:aa:42:4e:32:43:d2:4b:49:21:26:94:d9:98:c9:
     18:6a:24:2f:49:95:9e:31:17:88:4b:f6:5b:34:61:ea:cf:6d:
     6c:06:bf:aa:f4:65:1d:0f:bd:2c:b5:5b:21:0f:19:72:a3:54:
     02:d1:99:d3:d6:36:cd:97:5b:ff:06:5b:dd:9c:bc:57:ba:1a:
     2e:3b:7a:11:c9:a8:7d:3b:99:28:21:dc:0f:cf:00:65:ef:f8:
     ad:73:5d:30:c6:ff:a7:07:b3:71:2b:7d:75:f0:84:3e:f0:69:
     36:0f:ac:8d:f1:a7:56:fe:73:40:e7:03:6d:a8:70:01:dd:1a:
     1c:eb:cd:4a:d5:34:c4:85:38:b4:72:1b:fd:69:2f:31:32:4c:
     7f:c1:dd:76:85:69:9c:8c:7b:29:33:0e:29:3d:4e:ad:00:96:
     dc:31:b2:be:55:09:37:53:77:53:20:5e:19:cd:b8:5e:00:f9:
     62:77:75:b0:4d:7f:f2:b5:b4:a2:d9:9b:17:66:c9:42:4e:cf:
     c3:4a:d5:75:98:55:e3:bd:d7:13:02:5f:a5:e8:bb:d4:db:4f:
     44:73:e5:42:1d:7f:bc:20:65:56:99:38:0b:2c:36:82:19:31:
     d8:7a:30:e5:83:08:a2:18:2e:7c:06:30:81:34:e4:c8:03:24:
     9e:db:f9:df:9f:aa:99:19:7a:4e:3d:7f:ee:c2:a3:fc:b4:9f:
     fb:ea:ab:a3:f2:aa:6f:e4:c9:ec:98:bb:d1:69:ef:6a:34:b2:
     5a:9d:d3:96:0e:14:80:ed:29:ee:0c:1b:2f:f9:1c:41:a1:ad:
     8c:1c:20:81:1c:9e:08:56

-----BEGIN CERTIFICATE-----
MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx
EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z
b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV
BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG
9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0
MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw
DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE
CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6
b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv
bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj
M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R
LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO
jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB
D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6
Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY
mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk
Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ
jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB
dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1
Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK
fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU
JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD
VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv
d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz
b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB
FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE
98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV
brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z
aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW
GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q
PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z
cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez
cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd
doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ
Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu
fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T
lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY=
-----END CERTIFICATE-----

And pem defined in RFC 1421

user@linux:~/keys$ cat cert.pem 

-----BEGIN CERTIFICATE-----
MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx
EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z
b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV
BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG
9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0
MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw
DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE
CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6
b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv
bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj
M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R
LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO
jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB
D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6
Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY
mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk
Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ
jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB
dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1
Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK
fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU
JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD
VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv
d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz
b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB
FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE
98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV
brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z
aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW
GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q
PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z
cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez
cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd
doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ
Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu
fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T
lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY=
-----END CERTIFICATE-----

What do you think about what I said about the OpenVPN (it doesn't work and I read that I need to use the same certs signiture), do you think that will help?

I completely miss sense of this. I don't know what did you read and what signature are you talking about.

how can I know if my pem file includes just the certificate or both the certificate and the private key as well?

I've never seen RFC's 1421 pem certificate with key inside (or with whole keychain), but I believe it'll look like:

user@linux:~/keys$ cat cert-with-key.pem
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
user@linux:~/keys$

I mean one file that contains this lines with hidden by me cryptographic data. I have always two files, one for private key and one with public.