System diagnosis: Check SSL certificates ("Überprüfung der SSL-Zertifikate")

I got the system diagnosis message

Zertifikat ‘/etc/univention/ssl/ucsCA/CAcert.pem’ wird in 12 Tagen ablaufen.
Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ wird in 14 Tagen ablaufen.
Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ wird in 14 Tagen ablaufen.
Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ wird in 14 Tagen ablaufen.
Zertifikat ‘/etc/univention/ssl/ucsCA/certs/01.pem’ wird in 12 Tagen ablaufen.
Zertifikat ‘/etc/univention/ssl/ucsCA/certs/02.pem’ wird in 12 Tagen ablaufen.
Zertifikat ‘/etc/univention/ssl/ucsCA/certs/03.pem’ wird in 12 Tagen ablaufen.
Zertifikat ‘/etc/univention/ssl/ucsCA/certs/04.pem’ wird in 19 Tagen ablaufen.
Zertifikat ‘/etc/univention/ssl/ucsCA/certs/05.pem’ wird in 26 Tagen ablaufen.

So I read the linked post http://sdb.univention.de/1000 and tried to renew with

openssl x509 -in CAcert.pem -out NewCAcert.pem -days "$(ucr get ssl/default/days)" \
  -passin file:/etc/univention/ssl/password \
  -signkey private/CAkey.pem \
  -sha256

This leads to

-bash: ucr: Kommando nicht gefunden.
x509: Can't parse "" as a number
x509: Non-positive number "" for -days
x509: Use -help for summary.

I checked the UCR via web interface, got the value 1825 days, changed “$(ucr get ssl/default/days)” to 1825, tried again and it worked: the first line with CAcert.pem is vanished.

But how to do with /etc/univention/ssl/ucsCA/certs/01.pem to /etc/univention/ssl/ucsCA/certs/05.pem ? Do the same? But in this case: what do I have to use for password file and signkey?

Thank you for your help.

Finally I resolved the problem.

1. I worked with sudo for every single command. It was better to switch to root shell with sudo -i. Using the root shell the error -bash: ucr: Kommando nicht gefunden. vanished. So I could new all certificates like described here Renewing the SSL certificates at once.
2. But my warnings with 01.pem to 05.pem stayed. This was because I had to revoke the older certificates with id 01 to 05. After doing this as described in Renewing the SSL certificates I got no certificate warnings any more.