Communication between the different systems in a UCS domain is largely SSL encrypted. A root certificate and host certificate for each computer are required for the SSL encryption. The root certificate is only valid for a specified period of time, as are the host certificates created with the root certificate. Once this period of time elapses, services which encrypt their communication with SSL (e.g., LDAP) no longer function. It is thus essential to verify the validity of the certificates and create new host certificates as necessary.
The following commands need to be performed on a UCS master.
univention-certificate can be used to check how long a computer certificate will remain valid:
univention-certificate dump -name ucs-master.univention.de
[...]
Validity Not Before: Jun 19 10:40:13 2006 GMT
Not After : Jun 18 10:40:14 2008 GMT
[...]
When doing so, the FQDN of the computer name (computer name + domain) must be entered. A list of all available certificates can be called up with
The certificates for all the computers in a UCS domain usually have the same expiry date. To create new certificates, proceed as follows:
Create back-ups of the old certificates
cp -a /etc/univention/ssl /etc/univention/ssl_$(date +"%d%m%Y")
Renewal of the certificates
Renew the root certificate entering the contents of the /etc/univention/ssl/password file as the password:
cd /etc/univention/ssl/ucsCA
openssl x509 -in CAcert.pem -out NewCAcert.pem -days 1000 -passin file:/etc/univention/ssl/password -signkey private/CAkey.pem
mv NewCAcert.pem CAcert.pem
Attention: On UCS-Systems in version smaller than 2.0 the folder “/etc/univention/ssl/ucsCA” was named “/etc/univention/ssl/udsCA”
Renewing all computer certificates:
eval "$(ucr shell)"
cd /etc/univention/ssl
for i in *".$domainname"; do univention-certificate renew -name "$i" -days 730; done
Copy the new certificates
Copying of the new certificates onto the other computer systems (each UCS/UCC system except DC backups - here using ucs-slave as an example computer)
eval "$(ucr shell)"
cd /etc/univention/ssl/
scp ucsCA/CAcert.pem root@ucs-slave:/etc/univention/ssl/ucsCA/
scp -r ucs-slave.$domainname root@ucs-slave:/etc/univention/ssl/
scp -r ucs-slave.$domainname/* root@ucs-slave:/etc/univention/ssl/ucs-slave/
The last step is not required on a UCS backup computer as it occurs automatically via cron.
The following command can be used to make the newly created certificate available to all users via the UCS master’s central administration website
cp CAcert.pem /var/www/ucs-root-ca.crt
After the certificates have been updated, the new information is not yet displayed in Univention Directory Manager.It would only be updated during the next, regular check, as the cronjob set up for this purpose is only run once every day.To be able to verify the validity of the certificates immediately, the corresponding Univention Configuration Registry variables need to be evaluated. This can be done by running the following script
/usr/sbin/univention-certificate-check-validity
All the services which use the SSL encryption need to be restarted.Alternatively, the system can be restarted if it is not known exactly which services employ SSL.
Cyrus
On computers where the cyrus mail server is running, the cert.pem and private.key must also be copied to /var/lib/cyrus/
cp /etc/univention/ssl/"$(hostname -f)"/cert.pem /var/lib/cyrus/
cp /etc/univention/ssl/"$(hostname -f)"/private.key /var/lib/cyrus/
After that the permissions (owner) of the new files must be adjusted:
chown cyrus:mail /var/lib/cyrus/cert.pem
chown cyrus:mail /var/lib/cyrus/private.key
AD-Connector
If the ad connector is used, the certificates should be renewed as well.
The new certificates can be downloaded from the umc:
cp /etc/univention/ssl/<FQDN of ad system>/{cert.pem,private.key} /var/www/univention-ad-connector/chgrp www-data /var/www/univention-ad-connector/{cert.pem,private.key}
After that the new certificates can be downloaded from UMC and configured.
Freeradius
If freeradius is used, the cert.pem and private.key must also be copied to /etc/freeradius/ssl
cp /etc/univention/ssl/"$(hostname -f)"/cert.pem /etc/freeradius/ssl/
cp /etc/univention/ssl/"$(hostname -f)"/private.key /etc/freeradius/ssl/
After that the permissions (owner) of the new files must be adjusted:
chown root:freerad /etc/freeradius/ssl/cert.pem
chown root:freerad /etc/freeradius/ssl/private.key
