Problem:

How can a full reneweal of the complete SSL chain be achieved?

Solution:

To recreate CAkey.pem and demanding certificates, please to the following:

Backup the old certificates /etc/univention/ssl/:

mv /etc/univention/ssl  /etc/univention/ssl_$(date  +"%d%m%Y")

Create a new SSL-chain and a new certificate for the DC master:

apt-get install --reinstall univention-ssl

Fix the permissions:

chgrp 'DC Backup Hosts' -R /etc/univention/ssl/openssl.cnf /etc/univention/ssl/password /etc/univention/ssl/ucsCA/
chgrp 'DC Backup Hosts' /etc/univention/ssl/ucsCA/CAcert.pem
find /etc/univention/ssl/ucsCA/ -type d -exec chmod g+rwX {} +

Renew the certificate for the DNS alias univention-directory-manager and recreate the certificates for each machine in your domain:

eval "$(univention-config-registry shell)"
univention-certificate new -name "univention-directory-manager.$domainname" -days "$ssl_default_days"
ln -s /etc/univention/ssl/univention-directory-manager.$domainname/ /etc/univention/ssl/univention-directory-manager
service slapd restart
univention-directory-listener-ctrl resync gencertificate

ucs-sso requires a separate handling

To generate the new ucs-sso certificate you can use the 91univention-saml.inst join script.
First you need to delete the old file, which is set via ucr:
ucr get saml/idp/certificate/certificate
→ /etc/simplesamlphp/ucs-sso…
After that rerun the the joinscript with the force option
univention-run-join-scripts --force --run-scripts 91univention-saml.inst

Copy the new certificates

Now each new certificate has to be copied to the other systems of your domain.
Please use “Renewing the SSL certificates” for a detailed documentation.