I would like to setup own PKI to manage internal certificates. Since I already use UCS which has its own CA, I wonder what would be recommended between the following options:
(1) use UCS CA to create the certificates as per https://docs.software-univention.de/domain-4.4.html#extdom:ssl:manage. This works very well if one needs only to issue a few certs for some non-UCS servers. However it supports only ssl certs for server. I would like to be able to create client cert for openvpn, and this seems unsupported. I looked into the scripts /usr/sbin/univention-certificate and /usr/share/univention-ssl/make-certificates.sh, and I think I might be able use openssl directly to generate the CSR for openvpn clients and sign them with UCS CA. However there are some potential problems with this approach:
- it can break UCS (just a worry, I am not that experienced with openssl and UCS)
- it will put a lot of certs into the UCS CA db (under /etc/univention/ssl), since I want to create for each openvpn user a separate cert
What I like about this approach is that I have a single CA in UCS,
(2) setup another PKI, completely separated from UCS CA, following for example this guide: https://pki-tutorial.readthedocs.io/. This is probably easier and safer. The downside is that now I have 2 root CA, which feels odd.
What would you recommend?