I’m trying to upload a custom CA to Univention but I’m having a hard time with it. The only information I’ve found was this but it’s really about setting server certificates not CA certificates. CA certificates, like a custom root or a subordinate CA, cannot be used for endpoints. I poked around the file system and found on /etc/ssl/certs only one (plus a concatenated file) certificate that’s not symlinked with a matching private key on /etc/ssl/private.
It looked very guilty but when I downloaded the file it didn’t match the issuer of the UI’s certificate. A few lines away from that one however, I found ucsCA.pem a symlink to /usr/local/share/ca-certificates/ucsCA.crt itself a symlink to /etc/univention/ssl/ucsCA/CAcert.pem. This matched the working root.
In /etc/univention/ssl/ there’s the .conf file to create the custom CAs, it has the default example values that appear on the new CA assistant instead of matching the values of the working CA so I assume this file has not been called yet. I thought about just replacing the CA and key files with my own but I’m not sure how to tell Univention to reissue files for its services and if it would use the replaced CA or would try to create a new one.
Lasty, in the same directory down the tree, I found some files with the words “serial” and “backup” in them. My guess is that the system will self-protect if something doesn’t align perfectly and will invoke a reissuing of something, crash, or simply revert back.
Any idea if this is possible?