In the network that I want to manage with UCS there are several services that have their own CA.
For example Icinga2.
Since I want to establish a clean chain of trust in the network I want to provide intermediate CA certificates to those services signed by the UCS Root CA.
Can I create those certificates with Univention tools? Does anybody have experience with that.
A second question is that I found several descriptions stating best practise is to operate a CA only with an intermediate CA cert and keep the original root CA cert files offline for cases where the intermediate CA gets compromised. In that case you can revoke the intermediate CA and create a new one.
How can I do that with UCS?
Can I just replace the UCS root CA with other certificates and recreate all others?