Create intermediate CA with Univention Root CA




In the network that I want to manage with UCS there are several services that have their own CA.
For example Icinga2.

Since I want to establish a clean chain of trust in the network I want to provide intermediate CA certificates to those services signed by the UCS Root CA.

Can I create those certificates with Univention tools? Does anybody have experience with that.

A second question is that I found several descriptions stating best practise is to operate a CA only with an intermediate CA cert and keep the original root CA cert files offline for cases where the intermediate CA gets compromised. In that case you can revoke the intermediate CA and create a new one.
How can I do that with UCS?
Can I just replace the UCS root CA with other certificates and recreate all others?



I’m also looking for a solution. There are How-Tos for creating an intermediate certificate (e.g., but I’d like to use the UCS tools as much as possible - so that my colleagues can reproduce it without much hassle.

Did you find a way to achieve this?

Best regards


Hello Dirk,
no, so far did not dig deeper into it. But it is still on my agenda for the next months. I would like to setup OpenPKI and issue an intermediate cert to the UCS Master.

This is another thread in German on this topic: Eigene CA verwenden / Use own CA



I tried a while (just this morning) to create an intermediate certificate for our UCS root certificate.
Then I decided to stick with our home-grown CA and use it for Apache/Dovecot/Postfix, as described her: Using your own SSL certificates.

Best regards