Hello,
I already my own PKI setup; can I use my own root CA for UCS? My naive expectation is to replace CAcert.pem
and CAcert.key (under /etc/univention/ssl/) by my version, and re-generate the existing certs. Is it going to work?
thanks in advance for any hint
I answer my own question, in case someone might need it:
(1) replace these files by my own version (in my case I had already another UCS master):
/etc/univention/ssl/password
/etc/univention/ssl/ucsCA/CAcert.pem
/etc/univention/ssl/ucsCA/private/CAkey.pem
(2) re-create the certs:
eval "$(ucr shell)"
cd /etc/univention/ssl
for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done
Hello,
Can you detail bit the steps you took to replace the existing UCS Root CA ?
For step 1 simply overwrite the existing files with ones provided by you and leave the same name for the root certificate and key ?
Also regarding the password file what it is its purpose ? should I use another password there ?
And for step 2 you simply renewed only the existing certificates ?
In my setup I want to replaced them also with personal ones generated by my CA server not UCS. Is it possible ?
Thank you.
For step 1 simply overwrite the existing files with ones provided by you and leave the same name for the root certificate and key ?
yes
Also regarding the password file what it is its purpose ? should I use another password there ?
the password is used to encrypt/decrypt the key. You can use your own.
And for step 2 you simply renewed only the existing certificates ?
In my setup I want to replaced them also with personal ones generated by my CA server not UCS. Is it possible ?
if you use your own CA server I think you need to understand well how PKI works, so that you can integrate your own CA with UCS (and troubleshot issues). I am not that fluent with PKI so I just stick with UCS CA.
I’m not certain, if this can break things. Taking a glimpse at /etc/univention/ssl/ucsCA/, there are more files than just the CA CRT, REQ and Key. E.g. the folder “certs” seems to hold a collection of certificates (00.pem, 01.pem etc), that are also present in /etc/univention/ssl/.
Are those getting recreated with your command (the for-loop)?
Ok, I just tried, what you did. This is, what happened:
UCS.<mydomain> and symlinking UCS.lan to UCS.<mydomain>: ln -s UCS.<mydomain> UCS.lan
chgrp -R -h "DC Backup Hosts" /etc/univention/ssl before actually renewing the CRTs.My current way of changing the CA and renewing my certificates is the following (all close to what Renewing the SSL certificates states)
Replace all <mydomain> with your actual domain down below
cd /etc/univention/ssl
##### Fix this issue with UCS.lan that I pointed out in 1). Only needs to be once though. Possibly only applies to my setup
mv UCS.lan UCS.<mydomain>
ln -s UCS.<mydomain> UCS.lan
##### What comes next, applies to everyone
# Fix permissions
chgrp -R -h "DC Backup Hosts" /etc/univention/ssl
# Renew CRTs
eval "$(ucr shell)"
for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done
# Populate CRTs
univention-certificate-check-validity
update-ca-certificates -f
univention-app update-certificates
# Make new UCS CA available for everyone to download from the DC
install -o root -g root -m 0644 ucsCA/CAcert.pem /var/www/ucs-root-ca.crt
If one really wants to get rid of the old CRTs still present in /etc/univention/ssl/ucsCA/certs/, run univention-certificate list and identifiy the IDs of the old CRTs. Then apply the ids to univention-certificate revoke -id <theID>.
But according to Renewing the SSL certificates , this step is optional. Old CRTs will eventually expire and removed automatically.