Can I use my own root CA?

Hello,

I already my own PKI setup; can I use my own root CA for UCS? My naive expectation is to replace CAcert.pem
and CAcert.key (under /etc/univention/ssl/) by my version, and re-generate the existing certs. Is it going to work?

thanks in advance for any hint

I answer my own question, in case someone might need it:

(1) replace these files by my own version (in my case I had already another UCS master):
/etc/univention/ssl/password
/etc/univention/ssl/ucsCA/CAcert.pem
/etc/univention/ssl/ucsCA/private/CAkey.pem

(2) re-create the certs:

eval "$(ucr shell)"
cd  /etc/univention/ssl
for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done 

Hello,

Can you detail bit the steps you took to replace the existing UCS Root CA ?
For step 1 simply overwrite the existing files with ones provided by you and leave the same name for the root certificate and key ?

Also regarding the password file what it is its purpose ? should I use another password there ?

And for step 2 you simply renewed only the existing certificates ?
In my setup I want to replaced them also with personal ones generated by my CA server not UCS. Is it possible ?
Thank you.

For step 1 simply overwrite the existing files with ones provided by you and leave the same name for the root certificate and key ?

yes

Also regarding the password file what it is its purpose ? should I use another password there ?

the password is used to encrypt/decrypt the key. You can use your own.

And for step 2 you simply renewed only the existing certificates ?
In my setup I want to replaced them also with personal ones generated by my CA server not UCS. Is it possible ?

if you use your own CA server I think you need to understand well how PKI works, so that you can integrate your own CA with UCS (and troubleshot issues). I am not that fluent with PKI so I just stick with UCS CA.

Mastodon