How-to: Extend the end date of the UCS CA root certificate

Knowledge Base Community
, , ,
#1

How-to: Extend the end date of the UCS CA root certificate

The root certificate of the UCS Certificate Authority (CA) is created during the installation of the UCS Master and by default valid for 5 years. The regular process is to renew the complete certificate chain, before the root certificate reaches its end date. In this case, all old certificates become invalid.
Another possibility is to renew the root certificate, but keep the existing private key. In this case, the new root certificate will have a new end date, but the certificate chain is still valid.

PLEASE NOTE: Keeping the private key is not a good security practice and not recommended. However, there are scenarios where the tradeoff might be reasonable.

Renew the root certificate while keeping the private key

Step 1: Preparation

Open a shell on your UCS Master and backup your current certificates:

cp -a /etc/univention/ssl /etc/univention/ssl_"$(date --iso)"

Check your current UCS CA root certificate:

cd /etc/univention/ssl/ucsCA
openssl x509 -in CAcert.pem -noout -enddate -serial
notAfter=Sep 30 13:31:10 2018 GMT
serial=C763B56CDF6144FF

Step 2: Create a new certificate

Now create a new certificate by using the existing certificate, the existing private key (CAkey.pem), the existing password and by using sha256 for the signature algorithm:

openssl x509 -in CAcert.pem -out NewCAcert.pem  \
  -days "$(ucr get ssl/default/days)"  \
  -passin file:/etc/univention/ssl/password \
  -signkey private/CAkey.pem  \
  -sha256

Now check the new certificate:

openssl x509 -in NewCAcert.pem -noout -enddate -serial
notAfter=Sep 19 11:32:42 2023 GMT
serial=C763B56CDF6144FF

We should see a new end date (notAfter), but the same serial as before.

Step 3: Replace the old root certificate

Now we replace the old certificate with the new one:

mv NewCAcert.pem CAcert.pem
chgrp "DC Slave Hosts" CAcert.pem

Step 4: Update the CA for Apache

To update the extended CA for the Apache Server move to the following path:
cd /etc/univention/ssl/
and install the extended CA like:

install -o root -g root -m 0644 ucsCA/CAcert.pem /var/www/ucs-root-ca.crt

Now you have to restart the Apache Server.

systemctl restart apache2.service

Download the new CA for the Apache Server and check the end date.

wget https://$(hostname -f)/ucs-root-ca.crt

openssl x509 -in ucs-root-ca.crt -noout -dates
notBefore=Apr  5 09:40:57 2024 GMT
notAfter=Apr  2 14:28:54 2029 GMT

Step 5: Update the metadata SSO

On each UCS system including the primary DC in the domain has to re-install the new certificate to make the UMC Single Sign On work:

univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

Step 6: Restart the System

Attention: All the services which use the SSL encryption need to be restarted. Alternatively, the system can be restarted if it is not known exactly which services employ SSL.

After you extend the certificates, you have to restart the system, so the new extended certificates will be used from the services and all changes will be applied.
shutdown -r now
or
reboot

Step 7: Revoke old Computer certificates

Obsolete certificates must be revoked as described in the section.
Revoke old certificates

Optional Step 8: Renew all Computer certificates

If the computer certificates also expired, please follow the steps on the DC-Master in the link below.
Renew all computer certificates

Optional Step 9: Copy the client certificates

Copy the ucsCA to the UCS Systems in the Domain.
Copy the client certificates

Optional Step 10: Update certificates for docker

The certificates for the installed apps via docker container have to be updated.
Docker container update

6 Likes
Renew of CA cert not working?
Certificate has expired
Lost all Aliases and IP Addresses after renewing SSL Certs
SASL Out Of Service After USC CA extend and Renew Certificates
Certificate has expired
Mastodon