Univention Corporate Server (UCS) » SSL certificates

ID #1345

Renewing the complete SSL chain

Languages:  DeutschEnglish
Produktlogo UCS UCS 3 




How can a full reneweal of the complete SSL chain be achieved?


To recreate CAkey.pem and demanding certificates, please to the following:

Backup /etc/univention/ssl:

mv  /etc/univention/ssl  /etc/univention/ssl_$(date  +"%d%m%Y")

Create a new SSL-chain and a new certificate for the DC master:

apt-get install --reinstall univention-ssl

Set the rights:

chgrp 'DC Backup Hosts' -R /etc/univention/ssl/openssl.cnf /etc/univention/ssl/password /etc/univention/ssl/ucsCA/
chgrp 'DC Slave Hosts' /etc/univention/ssl/ucsCA/CAcert.pem
find /etc/univention/ssl/ucsCA/ -type d -exec chmod g+rwX {} \;

Renew the certificate for the DNS alias univention-directory-manager and recreate the certificates for each machine in your domain:

eval "$(univention-config-registry shell)"
univention-certificate new -name univention-directory-manager.$domainname -days $ssl_default_days
ln -s /etc/univention/ssl/univention-directory-manager.$domainname/ /etc/univention/ssl/univention-directory-manager
/etc/init.d/slapd restart
univention-directory-listener-ctrl resync gencertificate


Copy the new certificates

Now each new certificate has to be copied to the other systems of your domain.
Plesae use article #1183 - "Renewing the SSL certificates" for a detailed documentation.

Tags: UCS 3, UCS 4

Related entries:

Last update: 2015-06-17 16:45
Author: Tim Petersen
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry