What happened with univention-windowscert?

I was looking at this

and the github repo,
but univention-windowscert seems to have disappeared.

This would partially link to my other question about Windows client certs from here:

Hey, the packages univention-windowscert and univention-usercert are build from the same source code you can find at github (see the debian/control file)

As described in the instructions you linked above, after activating the separate repository, both packages can be installed by

univention-install univention-usercert univention-windowscert

So all is still there and not disappeared - did you get an error?

Hi peichert,

after your reply I was wondering if I’m loosing my mind… luckily it’s not me :slight_smile:

Initially I was just investigating the device certs and how to implement this in UCS5.0.5 without Cool repo. It would mean that each certificate would have to be created manually and passed to the device (interestingly certificates for IP-clients are generated without any issues. I’m not sure why this doesn’t work for other objects).

I installed new clean UCS updated it to the latest errata (5.0-5 errata857) added Cool repro and was able to install and use univention-usercert (windowscert got installed but didn’t work.
After installing “Active Directory-compatible Domain Controller” both apps disappeared from the system.

What I mean, apt reports them as installed but calling the command does nothing

Here’s what happenes with apt:

sudo apt install univention-usercert univention-windowscert
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  univention-usercert univention-windowscert
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 23.3 kB of archives.
After this operation, 134 kB of additional disk space will be used.
Get:1 https://updates.software-univention.de/5.0/unmaintained/component cool-solutions/all/ univention-usercert 5.0.0-4A~5.0.0.202303221056 [16.5 kB]
Get:2 https://updates.software-univention.de/5.0/unmaintained/component cool-solutions/all/ univention-windowscert 5.0.0-4A~5.0.0.202303221056 [6,884 B]
Fetched 23.3 kB in 0s (101 kB/s)
Selecting previously unselected package univention-usercert.
(Reading database ... 91635 files and directories currently installed.)
Preparing to unpack .../univention-usercert_5.0.0-4A~5.0.0.202303221056_all.deb ...
Unpacking univention-usercert (5.0.0-4A~5.0.0.202303221056) ...
Selecting previously unselected package univention-windowscert.
Preparing to unpack .../univention-windowscert_5.0.0-4A~5.0.0.202303221056_all.deb ...
Unpacking univention-windowscert (5.0.0-4A~5.0.0.202303221056) ...
Setting up univention-usercert (5.0.0-4A~5.0.0.202303221056) ...
Not updating ssl/usercert/default/country
Not updating ssl/usercert/default/email
Not updating ssl/usercert/default/locality
Not updating ssl/usercert/default/organization
Not updating ssl/usercert/default/organizationalunit
Not updating ssl/usercert/default/state
Not updating ssl/usercert/certpath
Not updating ssl/usercert/admingroup
Not updating ssl/usercert/days
Not updating ssl/usercert/ca
Not updating ssl/usercert/sslbase
Not updating ssl/usercert/ldapimport
Not updating ssl/usercert/scripts
Not updating ssl/usercert/certldapmapping/cn
Not updating ssl/usercert/certldapmapping/email
Not updating ssl/usercert/certldapmapping/organization
Not updating ssl/usercert/certldapmapping/locality
Not updating ssl/usercert/pkcs12/chain
Calling joinscript 31univention-usercert.inst ...
2023-11-01 17:46:50.033727329+00:00 (in joinscript_init)
Joinscript 31univention-usercert.inst finished with exitcode 1
Setting up univention-windowscert (5.0.0-4A~5.0.0.202303221056) ...
Not updating ssl/windowscert/certpath
Not updating ssl/windowscert/admingroup
Not updating ssl/windowscert/days
Not updating ssl/windowscert/ca
Not updating ssl/windowscert/sslbase
Not updating ssl/windowscert/ldapimport
Not updating ssl/windowscert/scripts
Not updating ssl/windowscert/certldapmapping/cn
Not updating ssl/windowscert/pkcs12/chain
Calling joinscript 32univention-windowscert.inst ...
2023-11-01 17:46:51.013463970+00:00 (in joinscript_init)
Joinscript 32univention-windowscert.inst finished with exitcode 1


Administrator@ucs-9954:~$ sudo univention-usercert
sudo: univention-usercert: command not found

any ideas?

Hmm, there is no such command you mentioned, where do you find that instruction? BTW: please use the “Administrator” for the gui, but for the terminal use “root” account.

I will guide you, how to use that cool solution.

  1. After successfully installed the cool solution, it does nothing automatically.
  2. Please read the instructions carefully, run univention-run-join-scripts and have a look at the screenshots
  3. For each User or Computer in LDAP, where you want to have a certificate, please active the checkbox in the Web GUI interface in the User or Computer module
    3.1 for a user: Public key infrastructure account and Create/Revoke User Certificate
    3.2 for a computer: Public key infrastructure account and Create/Revoke Certificate
  4. these activation could also be archived by udm command in ssh terminal, for example:
udm users/user create --ignore_exists --position "cn=users,$(ucr get ldap/base)" --set username="user1" --set lastname="user1" --set password="univention"
udm users/user modify --append-option pki --dn "uid=user1,cn=users,$(ucr get ldap/base)"
udm users/user modify --set createRevokeCertificate=1 --dn "uid=user1,cn=users,$(ucr get ldap/base)"

udm computers/windows create --ignore_exists --position "cn=computers,$(ucr get ldap/base)" --set name="win1"
udm computers/windows modify --append-option pki --dn "cn=win1,cn=computers,$(ucr get ldap/base)"
udm computers/windows modify --set createRevokeCertificateWindows=1 --dn "cn=win1,cn=computers,$(ucr get ldap/base)" 
  1. check the result in terminal
~# ls /etc/univention/ssl/user/user1/
cert.cer  cert.pem  openssl.cnf  private.key  req.pem  user1.p12  user1-p12-password.txt

~# ls /etc/univention/ssl/windows-hosts/win1\$/
cert.cer   cert.pem   openssl.cnf   private.key   req.pem  'win1$.p12'  'win1$-p12-password.txt'
  1. Think about what you want to archive with these certificates, i.e a rollout to the windows client is not part of the cool solution. You need some MDM tool like filewave or opsi for that.

@peichert that did help, thank you

In my case I had to re-run the join script:

univention-run-join-scripts --force --run-scripts 31univention-usercert.inst

and then what I didn’t realize was the Public key infrastructure account activated the Certificate tab where you have to tick Create/Revoke User Certificate for the cert to be created.

Mastodon