Using your own SSL certificates

Knowledge Base Supported
, , ,
#1

By default, certificates created by the UCS CA are used in UCS for the Apache, Postfix, Dovecot (or Cyrus) etc. daemons. As described in the following points, the Apache, Dovecot, Cyrus and Postfix services can be configured for the use of externally created certificates. The actions must be done on the server the service is running:

Note:

In case you have no `.pem file for the below services you can convert them through the following:
Say you have

ca_bundle.crt
my_de.crt
my_de.key

convert them through openssl x509 -in my_de.crt -out my_de.pem -outform PEM

Apache

To use your own certificates for the web server Apache , the UCR variables apache2/ssl/certificate and apache2/ssl/key need to be set to the full path of the certificate files. If your CA uses intermediate certificates, you’ll also need to set apache2/ssl/certificatechain. Here’s an example:

ucr set apache2/ssl/certificate="/etc/myssl/cert.pem" apache2/ssl/key="/etc/myssl/private.key"
# Optionally:
ucr set apache2/ssl/certificatechain="/etc/myssl/chain.pem"

The service must then be restarted for the changes to take effect:
service apache2 restart

Cyrus

Cyrus was used as IMAP server up to UCS 4.0-1. Since UCS 4.0-2, the default IMAP server is Dovecot (see below).

When configuring the SSL certificates for the IMAP server Cyrus, special attention must be paid to the fact that the files need to belong to the cyrus user and the mail group. It is thus recommended to create an additional copy of the certificates. Following the example above, the configuration could be performed as follows:

cp /etc/myssl/cert.pem /var/lib/cyrus/cert.pem
cp /etc/myssl/private.key /var/lib/cyrus/private.key
chown cyrus:mail /var/lib/cyrus/cert.pem /var/lib/cyrus/private.key
chmod 600 /var/lib/cyrus/cert.pem /var/lib/cyrus/private.key

The UCR variables mail/cyrus/ssl/certificate and mail/cyrus/ssl/key must then be set for Cyrus:

ucr set mail/cyrus/ssl/certificate="/var/lib/cyrus/cert.pem"
ucr set mail/cyrus/ssl/key="/var/lib/cyrus/private.key"

The Cyrus server finally needs to be restarted:
service cyrus2.4 restart

Dovecot

Dovecot is the default IMAP server since UCS 4.0-2 and supersedes Cyrus.

The UCR variables mail/dovecot/ssl/certificate and mail/dovecot/ssl/key must be set for Dovecot:

ucr set mail/dovecot/ssl/certificate="/etc/myssl/cert.pem"
ucr set mail/dovecot/ssl/key="/etc/myssl/private.key"

Then restart the daemon:
service dovecot restart

Postfix:

The UCR variables mail/postfix/ssl/certificate and mail/postfix/ssl/key need to be configured:

ucr set mail/postfix/ssl/certificate="/etc/myssl/cert.pem"
ucr set mail/postfix/ssl/key="/etc/myssl/private.key"

Then the mail server has to be restarted:
service postfix restart

3 Likes
SSL Zertifikat einbinden
Eigenes Root-Zertifikat einspielen
TLS and SSL for IMAP and SMTP
Install certificate in Univention Corporate Server
OX Guard HTTP Status 500
How To Design Your UCS Domain To Use Public DNS Names
Add my own SSL certificate to a new domain name
Upload custom certificate
Uploading custom authorities
Hello new here, needing advice on how to use LetsEncrypt on Univention as SSL reverse proxy for other windows servers one IP address, private local domain with FQDN domain routed from UCS server to one other windows server IIS7
Letencrypt certs from other host into UCS
Install SSL for Apache/owncload
Create intermediate CA with Univention Root CA
After GoDaddy SSL on SuiteCRM VM can't login
Update root CA certificate
System Diagnostics - Check Validity Of SSL Certificate
Domain Join Ubuntu 22.04 - Failed (with updated Join Script)
Problem: SSL Certificate Error in System Diagnostic
Let's encrypt issues
UCS SSO and LetsEncrypt
Postfix und Dovecot mit D-Trust Zertifikat
Mastodon