I was looking at the certificates in UCS. Got certificates for “IP managed clients” as intended, they are auto generated on object creation and stored in /etc/univention/ssl/.
I also have a couple of Windows machines which are domain joined. They provide some functionality which would greatly benefit from having a trusted (domain) certificate. Those certificates have not been created, so my questions are:
Am I missing something, and the certs are hiding in a different location?
Do I simply generate any cert with univention-certificate? If so what are the parameters that can be used with that command; I think I spotted something like non-standard cert expiry time while searching the forum but can’t find it again now.
I’ve also been experimenting with certificates for Windows machines and I’ve managed to install the UCS add-on from Cool-solutions as described in https://help.univention.com/t/cool-solution-creation-and-management-of-user-and-windows-certificates/ . I know that certificates are located in
/etc/univention/ssl/windows-hosts// and should also be available in AD/LDAP. I was then under the impression that the Windows machine automagically imported this certificate from it’s AD/LDAP entry in UCS when booted. Checking Certificate Store on Windows machine shows no such certificate. Checking AD/LDAP either through UCS GUI or Windows RSAT tool shows the relevant certificate info like DN etc but I can’t locate the certificate itself in some importable form.