Univention Corporate Server (UCS) » SSL certificates

ID #1183

Renewing the SSL certificates

Languages:  DeutschEnglish
Produktlogo UCS UCS 3 

 

 

Communication between the different systems in a UCS domain is largely SSL encrypted. A root certificate and host certificate for each computer are required for the SSL encryption. The root certificate is only valid for a specified period of time, as are the host certificates created with the root certificate. Once this period of time elapses, services which encrypt their communication with SSL (e.g., LDAP) no longer function. It is thus essential to verify the validity of the certificates and create new host certificates as necessary.

The following commands need to be performed on a UCS master.

univention-certificate can be used to check how long a computer certificate will remain valid:

univention-certificate dump -name ucs-master.univention.de
[...]
Validity Not  Before:  Jun  19  10:40:13  2006  GMT
Not  After :  Jun  18  10:40:14  2008  GMT
[...]

When doing so, the FQDN of the computer name (computer name + domain) must be entered. A list of all available certificates can be called up with

univention-certificate  list The certificates for all the computers in a UCS domain usually have the same expiry date. To create new certificates, proceed as follows:

Create back-ups of the old certificates

cp  -a  /etc/univention/ssl  /etc/univention/ssl_$(date  +"%d%m%Y")

 

Renewal of the certificates

Renew the root certificate entering the contents of the /etc/univention/ssl/password file as the password: cd  /etc/univention/ssl/ucsCA
openssl x509 -in CAcert.pem -out NewCAcert.pem -days 1000 \
 -passin file:/etc/univention/ssl/password \
  -signkey private/CAkey.pem
mv NewCAcert.pem CAcert.pem

Attention: On UCS-Systems in version smaller than 2.0 the folder "/etc/univention/ssl/ucsCA" was named "/etc/univention/ssl/udsCA"

Renewing all computer certificates:

eval "$(ucr shell)"
cd  /etc/univention/ssl
for i in *".$domainname"; do univention-certificate renew -name "$i" -days 730; done

 

Copy the new certificates

Copying of the new certificates onto the other computer systems (each UCS/UCC system except DC backups - here using ucs-slave as an example computer) eval "$(ucr shell)"
cd /etc/univention/ssl/
scp ucsCA/CAcert.pem root@ucs-slave:/etc/univention/ssl/ucsCA/
scp -r ucs-slave.$domainname root@ucs-slave:/etc/univention/ssl/
scp -r ucs-slave.$domainname/* root@ucs-slave:/etc/univention/ssl/ucs-slave/
The last step is not required on a UCS backup computer as it occurs automatically via cron.

The following command can be used to make the newly created certificate available to all users via the UCS master’s central administration websitecp  CAcert.pem  /var/www/ucs-root-ca.crtAfter the certificates have been updated, the new information is not yet displayed in Univention Directory Manager.It would only be updated during the next, regular check, as the cronjob set up for this purpose is only run once every day.To be able to verify the validity of the certificates immediately, the corresponding Univention Configuration Registry variables need to be evaluated. This can be done by running the following script/usr/sbin/univention-certificate-check-validityAll the services which use the SSL encryption need to be restarted.Alternatively, the system can be restarted if it is not known exactly which services employ SSL.

 

Cyrus

On computers where the cyrus mail server is running, the cert.pem and private.key must also be copied to /var/lib/cyrus/

cp  /etc/univention/ssl/"$(hostname -f)"/cert.pem /var/lib/cyrus/ 
cp  /etc/univention/ssl/"$(hostname -f)"/private.key /var/lib/cyrus/

After that the permissions (owner) of the new files must be adjusted:

chown cyrus:mail /var/lib/cyrus/cert.pem
chown cyrus:mail /var/lib/cyrus/private.key

 

AD-Connector

If the ad connector is used, the certificates should be renewed as well.
The new certificates can be downloaded from the umc:

cp /etc/univention/ssl/<FQDN of ad system>/{cert.pem,private.key} /var/www/univention-ad-connector/
chgrp www-data /var/www/univention-ad-connector/{cert.pem,private.key}

After that the new certificates can be downloaded from UMC and configured.

 

Freeradius

If freeradius is used, the cert.pem and private.key must also be copied to /etc/freeradius/ssl

cp  /etc/univention/ssl/"$(hostname -f)"/cert.pem /etc/freeradius/ssl/ 
cp  /etc/univention/ssl/"$(hostname -f)"/private.key /etc/freeradius/ssl/

After that the permissions (owner) of the new files must be adjusted:

chown root:freerad /etc/freeradius/ssl/cert.pem
chown root:freerad /etc/freeradius/ssl/private.key

Tags: SSL, UNIVENTION_SSL, zertifikate

Related entries:

Last update: 2015-06-17 11:54
Author: Moritz Mühlenhoff
Revision: 1.26

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 5 (3 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ