Hello,
I already my own PKI setup; can I use my own root CA for UCS? My naive expectation is to replace CAcert.pem
and CAcert.key (under /etc/univention/ssl/) by my version, and re-generate the existing certs. Is it going to work?
thanks in advance for any hint
I answer my own question, in case someone might need it:
(1) replace these files by my own version (in my case I had already another UCS master):
/etc/univention/ssl/password
/etc/univention/ssl/ucsCA/CAcert.pem
/etc/univention/ssl/ucsCA/private/CAkey.pem
(2) re-create the certs:
eval "$(ucr shell)"
cd /etc/univention/ssl
for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done
Hello,
Can you detail bit the steps you took to replace the existing UCS Root CA ?
For step 1 simply overwrite the existing files with ones provided by you and leave the same name for the root certificate and key ?
Also regarding the password file what it is its purpose ? should I use another password there ?
And for step 2 you simply renewed only the existing certificates ?
In my setup I want to replaced them also with personal ones generated by my CA server not UCS. Is it possible ?
Thank you.
For step 1 simply overwrite the existing files with ones provided by you and leave the same name for the root certificate and key ?
yes
Also regarding the password file what it is its purpose ? should I use another password there ?
the password is used to encrypt/decrypt the key. You can use your own.
And for step 2 you simply renewed only the existing certificates ?
In my setup I want to replaced them also with personal ones generated by my CA server not UCS. Is it possible ?
if you use your own CA server I think you need to understand well how PKI works, so that you can integrate your own CA with UCS (and troubleshot issues). I am not that fluent with PKI so I just stick with UCS CA.