Can I use my own root CA?

UCS - Univention Corporate Server
,
6

Ok, I just tried, what you did. This is, what happened:

  1. All certificates in /etc/univention/ssl/*. have been updated except for one, that is called “UCS.lan” → Possibly, this folder is somehow caused by my (external) DHCP-Server, that names my DC by this. I fixed this renaming that folder to UCS.<mydomain> and symlinking UCS.lan to UCS.<mydomain>: ln -s UCS.<mydomain> UCS.lan
  2. Certificates in /etc/univention/ssl/ that are not group-owned by “DC Backup Hosts” will not get updated. One should run chgrp -R -h "DC Backup Hosts" /etc/univention/ssl before actually renewing the CRTs.
  3. The new CRTs are getting added to /etc/univention/ssl/ucsCA/certs/ along with the old ones (see my initial question about ‘Are those getting recreated with your command’). See for more here: Renewing the SSL certificates

My current way of changing the CA and renewing my certificates is the following (all close to what Renewing the SSL certificates states)

Replace all <mydomain> with your actual domain down below

cd /etc/univention/ssl

##### Fix this issue with UCS.lan that I pointed out in 1). Only needs to be once though. Possibly only applies to my setup
mv UCS.lan UCS.<mydomain>
ln -s UCS.<mydomain> UCS.lan

##### What comes next, applies to everyone
# Fix permissions
chgrp -R -h "DC Backup Hosts" /etc/univention/ssl

# Renew CRTs
eval "$(ucr shell)"
for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done

# Populate CRTs
univention-certificate-check-validity
update-ca-certificates -f
univention-app update-certificates

# Make new UCS CA available for everyone to download from the DC
install -o root -g root -m 0644 ucsCA/CAcert.pem /var/www/ucs-root-ca.crt

If one really wants to get rid of the old CRTs still present in /etc/univention/ssl/ucsCA/certs/, run univention-certificate list and identifiy the IDs of the old CRTs. Then apply the ids to univention-certificate revoke -id <theID>.
But according to Renewing the SSL certificates , this step is optional. Old CRTs will eventually expire and removed automatically.