Troubleshooting: PKI extension (univention-usercert)

installation
ssl
pki
x509
certificates
ucs-4

#1

General information

UCS comes with a self-signed Certificate Authority to provide TLS encrypted network communication by default, see https://docs.univention.de/manual-4.2.html#domain:ssl

The PKI extension is not part of the default installation, but can be installed manually. It adds the followings features to the already present CA:

  • Certificates can be issued for users
  • Certificates can be issued for windows computers
  • Those certificates (users and windows) are additionally stored in the LDAP directory
  • This functionality is accessible via the Univention Management Console

The basic installation and usage of the PKI extension is described here in the Univention Wiki.
The PKI extension consists of three software packages:

  • univention-ldap-usercert - provides the required ldap schema extension
  • univention-usercert - enables certificate creation for users
  • univention-windowscert - enables certificate creation for windows computer objects

The PKI extension adds the following LDAP objectClass:

  • univentionManageCertificates

The PKI extension adds the following LDAP attributes:

LDAP attribute UDM-CLI Names (ext. attribute) Possible Values
univentionCreateRevokeCertificate createRevokeCertificate
createRevokeCertificateWindows
0: No cert (changing from 1 to 0 revokes cert)
1: certificate (changing from 0 to 1 creates cert)
univentionRenewCertificate renewCertificate
renewCertificateWindows
None: default value
0: do not recreate the certificate
1: recreate the certificate
univentionCertificateDays certificateDays
certificateDaysWindows
None: use UCRV ssl/usercert/days
valid time in days, e.g. 365

The other used LDAP and UDM attributes are already part of the default product, e.g. userCertificate

Listener

The PKI extension adds the following listener module:

  • /usr/lib/univention-directory-listener/system/manageusercertificate.py

Despite the name, this module handles the automatic creation and revocation of user and windows certificates.
For debugging, the listener debug level must be set to ‘3’ at least:

ucr set listener/debug/level='3' && /etc/init.d/univention-directory-listener restart

Example output of /var/log/univention/listener.log while adding a certificate to an user:

13.07.15 13:55:05.040 LISTENER ( INFO ) : manageusercertificate: handler
13.07.15 13:55:05.044 LISTENER ( INFO ) : manageusercertificate: create cert msomerville
13.07.15 13:55:05.045 LISTENER ( INFO ) : manageusercertificate: run /usr/sbin/univention-certificate-user check -name ‘msomerville’ -cn ‘msomerville’ -sslbase ‘/etc/univention/ssl’ -ca ‘ucsCA’
13.07.15 13:55:05.106 LISTENER ( INFO ) : manageusercertificate: run /usr/sbin/univention-certificate-user new -name ‘msomerville’ -cn
‘msomerville’ -days ‘365’ -email ‘ssl@domain.example.org’ -organizationalunit ‘Univention Corporate Server’ -certpath ‘/etc/univention/ssl/user’ -sslbase ‘/etc/univention/ssl’ -ca ‘ucsCA’ -admingroup ‘Domain Admins’ -state ‘DE’ -organization ‘PKI FTW’ -country
‘DE’ -locality ‘DE’
13.07.15 13:55:05.411 LISTENER ( INFO ) : manageusercertificate: handler successfully finished

Example output of /var/log/univention/listener.log while adding a certificate to a windows computer:

13.07.15 13:55:05.411 LISTENER ( INFO ) : manageusercertificate: handler successfully finished
13.07.15 13:58:42.045 LISTENER ( INFO ) : manageusercertificate: handler
13.07.15 13:58:42.050 LISTENER ( INFO ) : manageusercertificate: create cert windows02$
13.07.15 13:58:42.050 LISTENER ( INFO ) : manageusercertificate: run /usr/sbin/univention-certificate-user check -name ‘windows02$’ -cn
‘windows02’ -sslbase ‘/etc/univention/ssl/’ -ca ‘ucsCA’
13.07.15 13:58:42.110 LISTENER ( INFO ) : manageusercertificate: run /usr/sbin/univention-certificate-user new -name ‘windows02$’ -cn
‘windows02’ -days ‘730’ -email ‘ssl@domain.example.org’ -organizationalunit ‘Univention Corporate Server’ -certpath ‘/etc/univention/ssl/windows-hosts’ -sslbase ‘/etc/univention/ssl/’ -ca ‘ucsCA’ -admingroup ‘Domain Admins’ -state ‘DE’ -organization ‘PKI FTW’
-country ‘DE’ -locality ‘DE’
13.07.15 13:58:42.417 LISTENER ( INFO ) : manageusercertificate: handler successfully finished

Manual creation of certificates

The PKI extension adds the following shell script:

  • /usr/sbin/univention-certificate-user

This is an adaption of the script “univention-certificate”, which is part of the default product. It covers the same use cases as “univention-certificate”, but for user certificates. Please note, that certificates created manually via this script are not automatically stored in the LDAP directory.

Example: create a new certificate:

root@ucs:\~\# univention-certificate-user new -name 'windows03\$' -cn 'windows03' -days '730' -email 'ssl@domain.example.org' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/windows-hosts' -sslbase '/etc/univention/ssl/' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'US' -organization 'PKI FTW' -country 'DE' -locality 'DE'

Example: verify if an existing certificate is valid:

root@ucs:\~\# univention-certificate-user check -name 'msomerville' -cn 'msomerville'

Verfiy file permissions

The default file permissions are as follows. Please note, that the certificate path and the group can be modified via UCR.

root@ucs:~# ls -la /etc/univention/ssl/user/msomerville/
drwxr-x--- 2 msomerville Domain Admins 4096 Jul 13 13:55 .
drwxr-xr-x 5 root        root          4096 Jul 13 13:52 ..
-rw-r-x--- 1 msomerville Domain Admins 1157 Jul 13 13:55 cert.cer
-rw-r-x--- 1 msomerville Domain Admins 4450 Jul 13 13:55 cert.pem
-rw-r-x--- 1 msomerville Domain Admins 3717 Jul 13 13:55 msomerville.p12
-rw-r-x--- 1 msomerville Domain Admins   10 Jul 13 13:55 msomerville-p12-password.txt
-rw-r-x--- 1 msomerville Domain Admins 3269 Jul 13 13:55 openssl.cnf
-rw-r-x--- 1 msomerville Domain Admins  891 Jul 13 13:55 private.key
-rw-r-x--- 1 msomerville Domain Admins  826 Jul 13 13:55 req.pem
root@ucs:~# ls -la /etc/univention/ssl/windows-hosts/windows02$/
drwxr-x--- 2 windows02$ Domain Admins 4096 Jul 13 15:13 .
drwxr-xr-x 4 root       root          4096 Jul 13 13:58 ..
-rw-r-x--- 1 windows02$ Domain Admins 1155 Jul 13 15:13 cert.cer
-rw-r-x--- 1 windows02$ Domain Admins 4444 Jul 13 15:13 cert.pem
-rw-r-x--- 1 windows02$ Domain Admins 3268 Jul 13 15:13 openssl.cnf
-rw-r-x--- 1 windows02$ Domain Admins  891 Jul 13 15:13 private.key
-rw-r-x--- 1 windows02$ Domain Admins  822 Jul 13 15:13 req.pem
-rw-r-x--- 1 windows02$ Domain Admins 3717 Jul 13 15:13 windows02$.p12
-rw-r-x--- 1 windows02$ Domain Admins   11 Jul 13 15:13 windows02$-p12-password.txt

Manually verfiy certificates

The following openssl commands can be used to have a closer look at the certificates:

User:

openssl x509 -in /etc/univention/ssl/user/uid/cert.pem -text -noout

Windows client:

openssl x509 -in /etc/univention/ssl/windows-hosts/windows-hostname\\\$/cert.pem -text -noout