When changing certificate settings in the Univention Portal, a new root CA is created with the ssl/* registry parameters. Server Certificates are recreated and signed with the new CA.
Problems:
- The root CA has ho pathlen constraint
- The key usage is not marked critical
- There ist no way to add nameConstraints
- The server certificates basicConstraints (not CA) are not marked critical
- The server certificates key usage ist not marked critical
I could not find a template file for the generated openssl.cnf files. Has anyone an idea how to change the OpenSSL configuration in order to improve PKI security?
To be more precise: There are (at least) two ways to improve PKI
- Modify the template of the generated /etc/univention/ssl/openssl.cnf to add pathlen constraint, nameConstraints etc.
- Run an own offline Root CA and online Intermediate CA with proper pathlen and nameConstraints. Use this intermediate CA as UCS CA as described in Can I use my own root CA?
In both cases the server certificates issued by Univention are generated with their own openssl.cnf from a template which has some issues (basicConstraints and keyUsage not marked critical).
As far as I understand, UCS uses template files to generate system files but I could not find those corresponding to the openssl.cnf files in question.