Ah, ok, makes sense. But it seems that some env variables are missing:
root@ucs01:/etc/univention/ssl/ucs01# openssl req -batch -config openssl.cnf -new -key private.key -out req.pem
error on line 31 of openssl.cnf
139778132506256:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 31
It seems to be an OpenSSL issue, solved here: UCS Openssl request signing error - #2 by Moritz_Bunkus
DEFAULT_CRL_DAYS="$(/usr/sbin/univention-config-registry get ssl/crl/validity)"
: ${DEFAULT_CRL_DAYS:=10}
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"
: ${DEFAULT_DAYS:=1825}
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"
: ${DEFAULT_MD:=sha256}
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"
: ${DEFAULT_BITS:=2048}
export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS
openssl req -batch -config openssl.cnf -new -key private.key -out req.pem
Now it works! Thanks a lot.