3. Advanced SSL certificate handling#
3.1. Managing additional certificates with univention-certificate#
Every UCS domain has its own SSL certificate authority. The SSL certificates are created automatically for all UCS systems during the installation (Primary Directory Node) or during the domain join (all other system roles).
The command univention-certificate can be used to manage these
certificates, e.g., if it proves necessary to create a certificate for the
integration of an external system. The command is executed as root
on the
Primary Directory Node.
3.1.1. Storage of the certificates#
The certificates are stored in the directory /etc/univention/ssl/
on the
Primary Directory Node and synchronized on all Backup Directory Node systems. A subdirectory
with the name of the certificate is kept in the directory
/etc/univention/ssl/
for every certificate, which contains the following
files:
req.pem
This file contains the original request with which the certificate was created.
openssl.cnf
This file contains the OpenSSL configuration at the time the certificate was created.
cert.pem
The file represents the actual certificate.
private.key
The file contains the private key for the certificate.
3.1.2. Displaying the certificates#
The following command is used to display a list of all the available, valid certificates:
$ univention-certificate list
An individual SSL certificate can be displayed with the following command:
$ univention-certificate dump -name fullyqualifiedhostname
3.1.3. Checking the validity of a certificate#
This command checks whether a certificate is valid or invalid:
$ univention-certificate check -name fullyqualifiedhostname
A certificate may be invalid because it has either been revoked or has expired.
3.1.4. Revoking a certificate#
The following command is used to revoke a certificate:
$ univention-certificate revoke -name fullyqualifiedhostname
It is then no longer valid, but remains stored in the file system. Certificates of UMC computer objects do not need to be revoked manually.
3.1.5. Creating a certificate#
The following command can be used to create a new certificate:
$ univention-certificate new -name fullyqualifiedhostname
The fully qualified domain name of the computer should be given as the name. By
default the certificate is valid for five years. The standard value can be
changed by setting the Univention Configuration Registry Variable ssl/default/days
.