Certificates for Windows workstations


I was looking at the certificates in UCS. Got certificates for “IP managed clients” as intended, they are auto generated on object creation and stored in /etc/univention/ssl/.

I also have a couple of Windows machines which are domain joined. They provide some functionality which would greatly benefit from having a trusted (domain) certificate. Those certificates have not been created, so my questions are:

  1. Am I missing something, and the certs are hiding in a different location?
  2. Do I simply generate any cert with univention-certificate? If so what are the parameters that can be used with that command; I think I spotted something like non-standard cert expiry time while searching the forum but can’t find it again now.


1 Like


I’ve also been experimenting with certificates for Windows machines and I’ve managed to install the UCS add-on from Cool-solutions as described in https://help.univention.com/t/cool-solution-creation-and-management-of-user-and-windows-certificates/ . I know that certificates are located in
/etc/univention/ssl/windows-hosts// and should also be available in AD/LDAP. I was then under the impression that the Windows machine automagically imported this certificate from it’s AD/LDAP entry in UCS when booted. Checking Certificate Store on Windows machine shows no such certificate. Checking AD/LDAP either through UCS GUI or Windows RSAT tool shows the relevant certificate info like DN etc but I can’t locate the certificate itself in some importable form.

Any relevant comments are most welcome.

It is a shame that the Univention team so rarely looks at this forum…

Will investigate the cert behaviour in the next few days.

Found this and I’m not overly optimistic:

(tl;dr) not stable on UCS 5.0