Cool Solution - Creating custom certificates for "ip managed client" / switch

umc
cool-solution
ucs-4-2
certificates
root-ca

#1

Task

Serveral switches on my internal network need their own certificates issued and the corresponding pem files uploaded to properly support https for their management GUI. As my infrastructure can not be reached/verified from the internet, LetsEncrypt is no viable solution. The facilitation of the internal CA of the UCS server looks intriguing…

Conceptual Solution

First of all - thanks for all the great “cool solutions”, there’s a lot to discover and the solutions are really straight from the field!

I installed the usercert/windowscert solution. This gives me a GUI to manage user and computer certificates. Unfortunately, the “windowscert” part is rather narrow in scope and really only does what it says on the lid - issue certificates for computers that are of type “Windows Workstation/Server”. For a computer of type “ip managed client” (which I guess is the closest to my situation), the necessary parts of the GUI are not even shown.

Real World Example

Primary (and only) Domain Controller: ucsdc2.local.k-family.net
DNS name of switch: switch-back.local.k-family.net
IP address of switch: 192.168.0.246

Questions

  • Is there a way to make the desired certificate handling work within UMC? Perhaps a trick or workaround (e.g. make pretend the switch is a windows pc …)?
  • By any chance, are there readymade shell scripts/programs by Univention that access the “well known” parts of the ucs infrastructure to produce certificates? All the defaults are stored in the UCR, so some “situation aware” script could simplify the command line handling of certificate creation quite effectively…
  • If anything else fails, are there any other leads for me, any links or well documented (support) cases where the task was comparable and I could latch on to the solution and bend it to my needs?

#2

Update:

  • The suggestion to widen the scope of the “windowscert” UMC extension to all computer types still stands
  • I polished my Google-fu and found some relevant knowledge base article

Will post here when I have successfully installed https to the switch …
(there is the extra requirement of a DH 1024-bit params file dhparams.pem, and I’m not sure about this one yet)


#3

Update #2:

  • The DH 1024-bit params file was easily created with
# openssl dhparam -out /etc/univention/ssl/switch-back.local.k-family.net/dhparams.pem 1024
  • Upload to the switch did work, but the whole project was some sort of letdown, because the firmware on the switch only supports https with EITHER SSL Version 3 disabled OR TLS Version 1 disabled - both combinations are no longer supported by my go-to browser (Firefox).

I learned my lesson, but security was not enhanced today … :persevere:


#4

Hello,

just for the sake of completeness: UCS does create a certificate for all IP-managed-clients, but they are only written to the file system on the UCS Master/Backups and not shown in the UMC. If you have a look at /etc/univention/ssl/<FQDN-of-your-IP-managed-client>/, there should be a certificate (cert.pem) and a private key.

If you want to create a certificate for a system that is not handled by UCS at all, you can still use the CLI-Tool univention-certificate as mentioned in the article you linked to above.