[SOLVED] How to share Certificates?

UCS - Univention Corporate Server
,
#1

Hi all,

So we have successfully enabled user and machine certificates. Tampered with SSL config to add extended key usage and even modified /usr/share/univention-ssl/make-certificates-user.sh to produce .pfx bundles.

All great, however one thing that I can’t figure out is how to make them shared on the network.
I created a share pointing directly at /etc/univention/ssl/user but all to non-available. Tried making symlinks and sharing those but still no luck.

Can someone tell me how to share /etc/univention/ssl/user so a user can read their own cert folder content?

cheers

Addendum,
I just realized that creating a share via GUI with /etc/univention/ssl/user as the path has not created a corresponding file in /etc/samba/shares.conf.d. This means that it will not be shared no matter what settings I use?

#2

Ok, so I finally found a way to do it…

  1. Look at UCR and find listener/shares/whitelist/defaults
  2. To the list of whitelisted share locations add :/etc/univention/ssl/*
  3. Go to UCS services and restart univention-directory-listener
  4. Create a share pointing at /etc/univention/ssl/user and adjust permissions to your liking
    ad 4. Because we are dealing with personal certificates, there’s a handy Hide unreadable files/directories setting under Samba configuration
  5. Save the share and voilà

image

And the end user will only see what they need to see (their own cert folder) and not the entire listing of system users.

#3

can you please share what tweaks you have done for key usage and delivery?
thanks

#4

Hi lleo,

Certificate extensions like serverAuth and clientAuth can be added as per this thread:

I know this isn’t the most elegant solution, and you have to add both at the same time but it works. I couldn’t find a way to add serverAuth to servers and clientAuth to users and endpoints)

In the /usr/share/univention-ssl/make-certificate-user.sh, which is responsible for user cert creation and renewal, we added: openssl pkcs12 -export -keypbe NONE -certpbe NONE -nomaciter -passout pass: -out bundle.pfx -inkey private.key -in cert.pem . (This defeats some cert security, however it is a self-signed cert for internal domain use only and the risk was acceptable).

The output bundle.pfx file is a cert with private key that the user can import on Windows logon. Small powershell script linked to a GPO makes this automatically.

As mentioned in the solution to this thread, certificate share is only showing accessible resources so the user see only one folder with their certificates inside.

Final notes; I have no idea how often the make-certificate-user.sh file changes and how quickly it will stop working. All is done with cool-solutions installed as per this post.

I hope this helps

#5

Thank you. I was aware of these, but still do not make it easy enough for me.
Just as for you, in my use case, it was acceptable to use the root certificate to generate intermediate root certificate(s) and set up a proper PKI infrastructure.

Mastodon