How-to: Extend the end date of the UCS CA root certificate

How-to: Extend the end date of the UCS CA root certificate

The root certificate of the UCS Certificate Authority (CA) is created during the installation of the UCS Master and by default valid for 5 years. The regular process is to renew the complete certificate chain, before the root certificate reaches its end date. In this case, all old certificates become invalid.
Another possibility is to renew the root certificate, but keep the existing private key. In this case, the new root certificate will have a new end date, but the certificate chain is still valid.

PLEASE NOTE: Keeping the private key is not a good security practice and not recommended. However, there are scenarios where the tradeoff might be reasonable.

Renew the root certificate while keeping the private key

Step 1: Preparation

Open a shell on your UCS Master and backup your current certificates:

cp -a /etc/univention/ssl /etc/univention/ssl_"$(date --iso)"

Check your current UCS CA root certificate:

cd /etc/univention/ssl/ucsCA
openssl x509 -in CAcert.pem -noout -enddate -serial
notAfter=Sep 30 13:31:10 2018 GMT
serial=C763B56CDF6144FF

Step 2: Create a new certificate

Now create a new certificate by using the existing certificate, the existing private key (CAkey.pem), the existing password and by using sha256 for the signature algorithm:

openssl x509 -in CAcert.pem -out NewCAcert.pem  \
  -days "$(ucr get ssl/default/days)"  \
  -passin file:/etc/univention/ssl/password \
  -signkey private/CAkey.pem  \
  -sha256

Now check the new certificate:

openssl x509 -in NewCAcert.pem -noout -enddate -serial
notAfter=Sep 19 11:32:42 2023 GMT
serial=C763B56CDF6144FF

We should see a new end date (notAfter), but the same serial as before.

Step 3: Replace the old root certificate

Now we replace the old certificate with the new one:

mv NewCAcert.pem CAcert.pem
chgrp "DC Slave Hosts" CAcert.pem
You have to reboot the system to apply the changes 
# shutdown -r now
2 Likes