Intermediate Signing Certificate for UCS


I’m trying to implement UCS as an alternative to Microsoft AD, to centralize user and clientauthentication.

At first I was very happy with UCS, however after I began to read about how UCS is handling certificates I got a little headache.

A good practice for handling certificates is to keep the CA as secure as possible and to split the certificate chain with intermediate signing certificates into several divisions.

Therefore, I would like to use a offline PKI for the CA and grant Univention only a intermediate signing certificate to generate user and client certificates for client authentication (radius) and user authentication (smb shares) using univention-usercert.

Other services will get a certificate from another PKI with another intermediate signing certificate because unfortunately univention-certificate is quite limited.

I’ve read already a lot of Univention and found some problems regarding implementing external certificates, like even changing the apache cert could be a problem or updates are deleting certs if placed in the “wrong” directory.

Do you believe it’s possible to reconfigure UCS to use a proper certificate chain and to prevent that everything is broken after the next update? Or are there any plans to improve the certificate management of UCS?