Univention Corporate Server (UCS) » SSL certificates

ID #1350

Troubleshooting: PKI extension (univention-usercert)

Produktlogo UCS UCS 4
General information

UCS comes with a self-signed Certificate Authority to provide TLS encrypted network communication by default, see http://docs.univention.de/manual-4.0.html#domain:ssl

The PKI extension is not part of the default installation, but can be installed manually. It adds the followings features to the already present CA:
  • Certificates can be issued for users
  • Certificates can be issued for windows computers
  • Those certificates (users and windows) are additionally stored in the LDAP directory
  • This functionality is accessible via the Univention Management Console
The basic installation and usage of the PKI extension is described here in the Univention Wiki.
The PKI extension consists of three software packages:
  • univention-ldap-usercert - provides the required ldap schema extension
  • univention-usercert - enables certificate creation for users
  • univention-windowscert - enables certificate creation for windows computer objects
The PKI extension adds the following LDAP objectClass:
  • univentionManageCertificates
The PKI extension adds the following LDAP attributes:
LDAP attribute UDM-CLI Names (ext. attribute) Possible Values
univentionCreateRevokeCertificate

createRevokeCertificate

createRevokeCertificateWindows

0: No cert (changing from 1 to 0 revokes cert)
1: certificate (changing from 0 to 1 creates cert)
univentionRenewCertificate

renewCertificate

renewCertificateWindows

None: default value
0: do not recreate the certificate
1: recreate the certificate
univentionCertificateDays 

certificateDays 

certificateDaysWindows

None: use UCRV ssl/usercert/days
valid time in days, e.g. 365
The other used LDAP and UDM attributes are already part of the default product, e.g. userCertificate

Listener

The PKI extension adds the following listener module:
  • /usr/lib/univention-directory-listener/system/manageusercertificate.py
Despite the name, this module handles the automatic creation and revocation of user and windows certificates.
For debugging, the listener debug level must be set to '3' at least:

ucr set listener/debug/level='3' && /etc/init.d/univention-directory-listener restart

Example output of /var/log/univention/listener.log while adding a certificate to an user:

13.07.15 13:55:05.040  LISTENER    ( INFO    ) : manageusercertificate: handler 13.07.15 13:55:05.044  LISTENER    ( INFO    ) : manageusercertificate: create cert msomerville 13.07.15 13:55:05.045  LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user check -name 'msomerville' -cn 'msomerville' -sslbase '/etc/univention/ssl' -ca 'ucsCA' 13.07.15 13:55:05.106  LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user new -name 'msomerville' -cn 'msomerville' -days '365' -email 'ssl@domain.example.org' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/user' -sslbase '/etc/univention/ssl' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'DE' -organization 'PKI FTW' -country 'DE' -locality 'DE' 13.07.15 13:55:05.411  LISTENER    ( INFO    ) : manageusercertificate: handler successfully finished


Example output of /var/log/univention/listener.log while adding a certificate to a windows computer:

13.07.15 13:55:05.411  LISTENER    ( INFO    ) : manageusercertificate: handler successfully finished 13.07.15 13:58:42.045  LISTENER    ( INFO    ) : manageusercertificate: handler 13.07.15 13:58:42.050  LISTENER    ( INFO    ) : manageusercertificate: create cert windows02$ 13.07.15 13:58:42.050  LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user check -name 'windows02$' -cn 'windows02' -sslbase '/etc/univention/ssl/' -ca 'ucsCA' 13.07.15 13:58:42.110  LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user new -name 'windows02$' -cn 'windows02' -days '730' -email 'ssl@domain.example.org' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/windows-hosts' -sslbase '/etc/univention/ssl/' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'DE' -organization 'PKI FTW' -country 'DE' -locality 'DE' 13.07.15 13:58:42.417  LISTENER    ( INFO    ) : manageusercertificate: handler successfully finished

 

Manual creation of certificates

The PKI extension adds the following shell script:
  • /usr/sbin/univention-certificate-user
This is an adaption of the script "univention-certificate", which is part of the default product. It covers the same use cases as "univention-certificate", but for user certificates. Please note, that certificates created manually via this script are not automatically stored in the LDAP directory.

Example: create a new certificate:
root@ucs:~# univention-certificate-user new -name 'windows03$' -cn 'windows03' -days '730' -email 'ssl@domain.example.org' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/windows-hosts' -sslbase '/etc/univention/ssl/' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'US' -organization 'PKI FTW' -country 'DE' -locality 'DE'
Example: verify if an existing certificate is valid:
root@ucs:~# univention-certificate-user check -name 'msomerville' -cn 'msomerville'

Verfiy file permissions

The default file permissions are as follows. Please note, that the certificate path and the group can be modified via UCR.

root@ucs:~# ls -la /etc/univention/ssl/user/msomerville/
drwxr-x--- 2 msomerville Domain Admins 4096 Jul 13 13:55 .
drwxr-xr-x 5 root        root          4096 Jul 13 13:52 ..
-rw-r-x--- 1 msomerville Domain Admins 1157 Jul 13 13:55 cert.cer
-rw-r-x--- 1 msomerville Domain Admins 4450 Jul 13 13:55 cert.pem
-rw-r-x--- 1 msomerville Domain Admins 3717 Jul 13 13:55 msomerville.p12
-rw-r-x--- 1 msomerville Domain Admins   10 Jul 13 13:55 msomerville-p12-password.txt
-rw-r-x--- 1 msomerville Domain Admins 3269 Jul 13 13:55 openssl.cnf
-rw-r-x--- 1 msomerville Domain Admins  891 Jul 13 13:55 private.key
-rw-r-x--- 1 msomerville Domain Admins  826 Jul 13 13:55 req.pem

root@ucs:~# ls -la /etc/univention/ssl/windows-hosts/windows02\$/
drwxr-x--- 2 windows02$ Domain Admins 4096 Jul 13 15:13 .
drwxr-xr-x 4 root       root          4096 Jul 13 13:58 ..
-rw-r-x--- 1 windows02$ Domain Admins 1155 Jul 13 15:13 cert.cer
-rw-r-x--- 1 windows02$ Domain Admins 4444 Jul 13 15:13 cert.pem
-rw-r-x--- 1 windows02$ Domain Admins 3268 Jul 13 15:13 openssl.cnf
-rw-r-x--- 1 windows02$ Domain Admins  891 Jul 13 15:13 private.key
-rw-r-x--- 1 windows02$ Domain Admins  822 Jul 13 15:13 req.pem
-rw-r-x--- 1 windows02$ Domain Admins 3717 Jul 13 15:13 windows02$.p12
-rw-r-x--- 1 windows02$ Domain Admins   11 Jul 13 15:13 windows02$-p12-password.txt

Manually verfiy certificates

The following openssl commands can be used to have a closer look at the certificates:

User:
openssl x509 -in /etc/univention/ssl/user/<uid>/cert.pem -text -noout
Windows client: 
openssl x509 -in /etc/univention/ssl/windows-hosts/<windows-hostname>\$/cert.pem -text -noout

Tags: UCS 4

Related entries:

Last update: 2015-07-14 13:57
Author: Michael Grandjean
Revision: 1.2

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry