How-to: Extend the end date of the UCS CA root certificate
The root certificate of the UCS Certificate Authority (CA) is created during the installation of the UCS Master and by default valid for 5 years. The regular process is to renew the complete certificate chain, before the root certificate reaches its end date. In this case, all old certificates become invalid.
Another possibility is to renew the root certificate, but keep the existing private key. In this case, the new root certificate will have a new end date, but the certificate chain is still valid.
PLEASE NOTE: Keeping the private key is not a good security practice and not recommended. However, there are scenarios where the tradeoff might be reasonable.
Renew the root certificate while keeping the private key
Step 1: Preparation
Open a shell on your UCS Master and backup your current certificates:
cp -a /etc/univention/ssl /etc/univention/ssl_"$(date --iso)"
Check your current UCS CA root certificate:
cd /etc/univention/ssl/ucsCA openssl x509 -in CAcert.pem -noout -enddate -serial notAfter=Sep 30 13:31:10 2018 GMT serial=C763B56CDF6144FF
Step 2: Create a new certificate
Now create a new certificate by using the existing certificate, the existing private key (
CAkey.pem), the existing password and by using
sha256 for the signature algorithm:
openssl x509 -in CAcert.pem -out NewCAcert.pem \ -days "$(ucr get ssl/default/days)" \ -passin file:/etc/univention/ssl/password \ -signkey private/CAkey.pem \ -sha256
Now check the new certificate:
openssl x509 -in NewCAcert.pem -noout -enddate -serial notAfter=Sep 19 11:32:42 2023 GMT serial=C763B56CDF6144FF
We should see a new end date (
notAfter), but the same
serial as before.
Step 3: Replace the old root certificate
Now we replace the old certificate with the new one:
mv NewCAcert.pem CAcert.pem chgrp "DC Slave Hosts" CAcert.pem You have to reboot the system to apply the changes # shutdown -r now