Certificate management

3.3. Certificate management#

Nubus for UCS always encrypts sensitive data in transit. For example, it uses SSH for signing in to systems and TLS for domain replication and LDAP communication.

Each computer must verify each other’s identity before exchanging encrypted data. To do this, each computer has a host certificate that a certification authority (CA) issues and signs.

This section describes the built-in UCS certificate authority, which manages trust within the Nubus for UCS domain. For publicly trusted certificates for web-facing services such as Apache, see Let’s Encrypt.

3.3.1. UCS built-in certificate authority#

Nubus for UCS automatically creates its own CA when you install the Primary Directory Node. When a Nubus for UCS system joins the domain, it automatically requests its own host certificate and retrieves the CA’s public certificate. The CA acts as the root CA: it signs its own certificate, and can sign certificates for subordinate CAs.

The UCS CA secures communication within the Nubus for UCS domain, not public-facing web services.

Nubus for UCS generates the CA properties automatically during installation, based on system settings such as the locale. To change these settings after installation, open the Certificate settings module in the Management UI on the Primary Directory Node.

Caution

If you change the root certificate through the Certificate settings module, you must reissue all host certificates. See KB 37 - Renewing the SSL/TLS certificates.

The CA in Nubus for UCS resides on the Primary Directory Node. Every Backup Directory Node stores a copy of the CA. A cron job updates each copy from the Primary Directory Node every 20 minutes.

Important

CA updates transfer only from the Primary Directory Node to the Backup Directory Node, not in the other direction. Always use the CA on the Primary Directory Node.

If you promote a Backup Directory Node to the Primary Directory Node, you can immediately use the CA on the new Primary Directory Node. For more information about the promotion, see Backup to Primary promotion.

See also

Mode: Create a new UCS domain

for information about the installation of a Primary Directory Node

Mode: Join an existing UCS domain

for information about a Nubus for UCS joining a domain.

3.3.2. Certificate validity#

The Nubus for UCS root certificate and all host certificates issued from it expire after a set period. To renew the root certificate and all host certificates, see KB 37 - Renewing the SSL/TLS certificates.

Caution

When a certificate expires, services that use TLS-encrypted communication, such as LDAP or domain replication, stop working.

3.3.3. Monitor certificate expiry#

Nubus for UCS monitors certificate validity automatically. The Nagios plugin monitors the validity period, and the Management UI shows a warning when the root certificate is about to expire. You can configure the warning period with the UCR variable ssl/validity/warning. The default warning period is 30 days. You must renew the root certificate before the root certificate expires.

Each day, a separate cron job on Nubus for UCS systems checks the validity of the host certificate and the root certificate. The cron job stores the expiry dates in the following UCR variables. These values are the number of days since 1970-01-01.

Host certificate:

ssl/validity/host

Root certificate:

ssl/validity/root

To download the root certificate and the certificate revocation list in the Management UI:

  1. Open the hamburger menu.

  2. For the root certificate select Certificates ‣ Root certificate.

  3. For the revocation list select Certificates ‣ Certificate revocation list.

On this page