| Languages: | Deutsch • English |
Problem:
How can a full reneweal of the complete SSL chain be achieved?
Solution:
To recreate CAkey.pem and demanding certificates, please to the following:
Backup /etc/univention/ssl:
mv /etc/univention/ssl /etc/univention/ssl_$(date +"%d%m%Y")
Create a new SSL-chain and a new certificate for the DC master:
apt-get install --reinstall univention-ssl
Set the rights:
chgrp 'DC Backup Hosts' -R /etc/univention/ssl/openssl.cnf /etc/univention/ssl/password /etc/univention/ssl/ucsCA/
chgrp 'DC Slave Hosts' /etc/univention/ssl/ucsCA/CAcert.pem
find /etc/univention/ssl/ucsCA/ -type d -exec chmod g+rwX {} \;
chgrp 'DC Slave Hosts' /etc/univention/ssl/ucsCA/CAcert.pem
find /etc/univention/ssl/ucsCA/ -type d -exec chmod g+rwX {} \;
Renew the certificate for the DNS alias univention-directory-manager and recreate the certificates for each machine in your domain:
eval "$(univention-config-registry shell)"
univention-certificate new -name univention-directory-manager.$domainname -days $ssl_default_days
ln -s /etc/univention/ssl/univention-directory-manager.$domainname/ /etc/univention/ssl/univention-directory-manager
/etc/init.d/slapd restart
univention-directory-listener-ctrl resync gencertificate
univention-certificate new -name univention-directory-manager.$domainname -days $ssl_default_days
ln -s /etc/univention/ssl/univention-directory-manager.$domainname/ /etc/univention/ssl/univention-directory-manager
/etc/init.d/slapd restart
univention-directory-listener-ctrl resync gencertificate
Copy the new certificates
Now each new certificate has to be copied to the other systems of your domain.
Plesae use article #1183 - "Renewing the SSL certificates" for a detailed documentation.
