Univention Corporate Server (UCS) » SSL certificates

ID #1243

Using your own SSL/TLS certificates

By default, the certificates created by the self-signed UCS CA are used by all services offering SSL/TLS encrypted communication. As described below, the webserver Apache, the MTA Postfix, the IMAP servers Dovecot and Cyrus and the RADIUS implementation FreeRADIUS can be configured to use other certificates.

All certificate files need to be in PEM format.


To use your own certificates for the web server Apache, at least the UCR variables apache2/ssl/certificate and apache2/ssl/key need to be set to the full path of the certificate files, e.g.:

ucr set apache2/ssl/certificate="/etc/myssl/cert.pem"
ucr set apache2/ssl/key="/etc/myssl/private.key"

There are also UCR variables for the CA Certificate (apache2/ssl/ca) and a certificate chain (apache2/ssl/certificatechain).

The service must then be restarted for the changes to take effect:

/etc/init.d/apache2 restart


Dovecot is the default IMAP server since UCS 4.0-2. Older UCS system might use Cyrus (see below).

The UCR variables mail/dovecot/ssl/certificate and mail/dovecot/ssl/key need to be configured for Dovecot:

ucr set mail/dovecot/ssl/certificate="/etc/myssl/cert.pem"
ucr set mail/dovecot/ssl/key="/etc/myssl/private.key"

The Dovecot server then needs to be restarted:

/etc/init.d/dovecot restart


Cyrus was the default IMAP server on UCS up to UCS 4.0-2. Newer versions use Dovecot as default (see above).

When configuring the SSL certificates for the IMAP server Cyrus, special attention must be paid to the fact that the files need to belong to the cyrus user and the mail group. It is thus recommended to create an additional copy of the certificates. Following the example above, the configuration could be performed as follows:

cp /etc/myssl/cert.pem /var/lib/cyrus/mycert.pem
cp /etc/myssl/private.key /var/lib/cyrus/myprivate.key
chown cyrus:mail /var/lib/cyrus/mycert.pem /var/lib/cyrus/myprivate.key
chmod 600 /var/lib/cyrus/mycert.pem /var/lib/cyrus/myprivate.key

The UCR variables mail/cyrus/ssl/certificate and mail/cyrus/ssl/key must then be set for Cyrus:

ucr set mail/cyrus/ssl/certificate="/var/lib/cyrus/mycert.pem"
ucr set mail/cyrus/ssl/key="/var/lib/cyrus/myprivate.key"

The Cyrus server finally needs to be restarted:

/etc/init.d/cyrus2.4 restart


Postfix is the mail transfer agent (MTA) and responsible for SMTP. The UCR variables mail/postfix/ssl/certificate and mail/postfix/ssl/key need to be configured:

ucr set mail/postfix/ssl/certificate="/etc/myssl/cert.pem"
ucr set mail/postfix/ssl/key="/etc/myssl/private.key"

Then the mail server has to be restarted:

/etc/init.d/postfix restart


UCS provides also FreeRADIUS as optional component.

Please note that the group freerad needs read access to the files. Therefore it's recommended to create an additional copy of your certificate and the private key and change the permissions accordingly:

cp /etc/myssl/cert.pem /etc/freeradius/ssl/mycert.pem
cp /etc/myssl/private.key /etc/freeradius/ssl/myprivate.key
chgrp freerad /etc/freeradius/ssl/mycert.pem /etc/freeradius/ssl/private.key
chmod 440 /etc/freeradius/ssl/mycert.pem /etc/freeradius/ssl/private.key

Then configure the UCR variables freeradius/conf/certificate/file and freeradius/conf/private/key/file:

ucr set freeradius/conf/certificate/file="/etc/freeradius/ssl/mycert.pem"
ucr set freeradius/conf/private/key/file="/etc/freeradius/ssl/myprivate.key"

Afterwards, restart the FreeRADIUS daemon:

/etc/init.d/freeradius restart


Tags: -

Related entries:

Last update: 2017-06-13 22:43
Author: Moritz Mühlenhoff
Revision: 1.1

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 3.67 (3 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry