How To: Create an UCS-CA signed certificate for a non-UCS system within domain

Sometimes it’s neccessary to also create signed certificates for non-UCS systems in a domain. This also becomes more common and also more needed due to communication is often SSL encrypted nowadays.

For such purposes UCS comes with a propriate command set which makes it easy to fullfil the task.

The following command creates a signed certificate for the given server FQDN:

root@ucs-master:~# univention-certificate new -name "another-server.$(dnsdomainname)"
Creating certificate: another-server.my-domain.local
no certificate for another-server.my-domain.local registered
Generating RSA private key, 2048 bit long modulus
..................................+++
.........+++
e is 65537 (0x10001)
Using configuration from /etc/univention/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'DE'
localityName          :PRINTABLE:'DE'
organizationName      :PRINTABLE:'My Company'
organizationalUnitName:PRINTABLE:'Univention Corporate Server'
commonName            :PRINTABLE:'another-server.my-domain.local'
emailAddress          :IA5STRING:'ssl@my-domain.local'
Certificate is to be certified until Mar 26 11:21:57 2022 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated

You will find all related files in the newly created folder according to your FQDN within path ‘/etc/univention/ssl’ (eg. ‘/etc/univention/ssl/another-server.my-domain.local’). All what’s left to do is to copy them to the appropriate location on the foreign system:

scp /etc/univention/ssl/another-server.$(dnsdomainname)/*.pem root@another-server.$(dnsdomainname):/etc/ssl/another-server/
scp /etc/univention/ssl/another-server.$(dnsdomainname)/*.key root@another-server.$(dnsdomainname):/etc/ssl/private/another-server.key
6 Likes
Mastodon