How-to: Extend the end date of the UCS CA root certificate

Knowledge Base Community
, , ,
#1

How-to: Extend the end date of the UCS CA root certificate

The root certificate of the UCS Certificate Authority (CA) is created during the installation of the UCS Master and by default valid for 5 years. The regular process is to renew the complete certificate chain, before the root certificate reaches its end date. In this case, all old certificates become invalid.
Another possibility is to renew the root certificate, but keep the existing private key. In this case, the new root certificate will have a new end date, but the certificate chain is still valid.

PLEASE NOTE: Keeping the private key is not a good security practice and not recommended. However, there are scenarios where the tradeoff might be reasonable.

Renew the root certificate while keeping the private key

Step 1: Preparation

Open a shell on your UCS Master and backup your current certificates:

cp -a /etc/univention/ssl /etc/univention/ssl_"$(date --iso)"

Check your current UCS CA root certificate:

cd /etc/univention/ssl/ucsCA
openssl x509 -in CAcert.pem -noout -enddate -serial
notAfter=Sep 30 13:31:10 2018 GMT
serial=C763B56CDF6144FF

Step 2: Create a new certificate

Now create a new certificate by using the existing certificate, the existing private key (CAkey.pem), the existing password and by using sha256 for the signature algorithm:

openssl x509 -in CAcert.pem -out NewCAcert.pem  \
  -days "$(ucr get ssl/default/days)"  \
  -passin file:/etc/univention/ssl/password \
  -signkey private/CAkey.pem  \
  -sha256

Now check the new certificate:

openssl x509 -in NewCAcert.pem -noout -enddate -serial
notAfter=Sep 19 11:32:42 2023 GMT
serial=C763B56CDF6144FF

We should see a new end date (notAfter), but the same serial as before.

Step 3: Replace the old root certificate

Now we replace the old certificate with the new one:

mv NewCAcert.pem CAcert.pem
chgrp "DC Slave Hosts" CAcert.pem
You have to reboot the system to apply the changes 
# shutdown -r now

Step 4: Update the CA for Apache

To update the extended CA for the Apache Server move to the following path:
cd /etc/univention/ssl/
and install the extended CA like:

install -o root -g root -m 0644 ucsCA/CAcert.pem /var/www/ucs-root-ca.crt

Now you have to restart the Apache Server.

systemctl restart apache2.service

Download the new CA for the Apache Server and check the end date.

wget https://$(hostname -f)/ucs-root-ca.crt

openssl x509 -in ucs-root-ca.crt -noout -enddate
notAfter=Apr  2 14:28:54 2029 GMT

Optional Step 5: Renew all Computer certificates

If the computer certificates also expire, please follow the steps on the DC-Master in the link below.
Renew all computer certificates

Optional Step 6: Copy the client certificates

Copy the ucsCA to the UCS Systems in the Domain.
Copy the client certificates

Optional Step 7: Revoke old Computer certificates

Obsolete certificates must be revoked as described in the section.
Revoke old certificates

5 Likes
Renew of CA cert not working?
Certificate has expired
Lost all Aliases and IP Addresses after renewing SSL Certs
SASL Out Of Service After USC CA extend and Renew Certificates
Certificate has expired
Mastodon