Difference between revisions of "App Certificates"

From Univention Wiki

Jump to: navigation, search
m
m
Line 1: Line 1:
 
[[Category:App Center Developer Guide]]
 
[[Category:App Center Developer Guide]]
  
Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Staring with UCS 4.3 erratum 91 the Univention App Center provides a simple way to manage certificates inside an App.
+
UCS provides a certificate infrastructure secure communication protocols (see [http://docs.software-univention.de/manual-4.3.html#domain:ssl])
  
The new App Center command is called '''update-certificates''' and should
+
Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3 erratum 91 the Univention App Center provides a simple way to manage certificates inside an App.
 +
 
 +
This is simply a new action called '''update-certificates''' in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates.
  
 
== When is update-certificates called? ==
 
== When is update-certificates called? ==
Line 14: Line 16:
 
# update app "abc"
 
# update app "abc"
 
-> univention-app update-certificates abc
 
-> univention-app update-certificates abc
</pre>
+
* </pre>
  
 
== What is being done in update-certificates? ==
 
== What is being done in update-certificates? ==
Line 20: Line 22:
 
=== All Apps ===
 
=== All Apps ===
  
Every App can define a '''update_certificates''' script. This script is executed on the UCS system (the docker Host) upon the App Center ''update-certificates'''
+
* Every App can define a '''update_certificates''' script
 +
* This script is executed on the UCS system (the docker Host) upon the App Center's ''update-certificates''
 +
 
 +
'''Example:'''
 +
<pre>
 +
# cat the UCS root CA to the App's root CA chain
 +
cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/myapp/ca-bundle.crt
 +
service my-app-daemon restart
 +
</pre>
  
 
=== Docker/Container Apps ===
 
=== Docker/Container Apps ===
  
Additionally the following steps executed for container Apps:
 
 
* The UCS root CA certificate is copied to ''/usr/local/share/ca-certificates/ucs.crt'' inside the container
 
* The UCS root CA certificate is copied to ''/usr/local/share/ca-certificates/ucs.crt'' inside the container
 
* ''update-ca-certificates'' is executed inside the container (if existing)
 
* ''update-ca-certificates'' is executed inside the container (if existing)
 
* The UCS root CA certificate is copied to ''/etc/univention/ssl/ucsCA/CAcert.pem'' inside the container
 
* The UCS root CA certificate is copied to ''/etc/univention/ssl/ucsCA/CAcert.pem'' inside the container
 
* The docker host UCS certificate is copied to ''/etc/univention/ssl/docker-host-certificate/cert.pem|private.key'' and ''/etc/univention/ssl/$FQDN_DOCKER_HOST/cert.pem|private.key''
 
* The docker host UCS certificate is copied to ''/etc/univention/ssl/docker-host-certificate/cert.pem|private.key'' and ''/etc/univention/ssl/$FQDN_DOCKER_HOST/cert.pem|private.key''

Revision as of 12:21, 21 June 2018


UCS provides a certificate infrastructure secure communication protocols (see [1])

Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3 erratum 91 the Univention App Center provides a simple way to manage certificates inside an App.

This is simply a new action called update-certificates in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates.

When is update-certificates called?

update_certificates is automatically called during the installation and update of an App. But it can be called any time on the command line with:

# update all apps
-> univention-app update-certificates

# update app "abc"
-> univention-app update-certificates abc
 * 

What is being done in update-certificates?

All Apps

  • Every App can define a update_certificates script
  • This script is executed on the UCS system (the docker Host) upon the App Center's update-certificates

Example:

# cat the UCS root CA to the App's root CA chain
cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/myapp/ca-bundle.crt
service my-app-daemon restart

Docker/Container Apps

  • The UCS root CA certificate is copied to /usr/local/share/ca-certificates/ucs.crt inside the container
  • update-ca-certificates is executed inside the container (if existing)
  • The UCS root CA certificate is copied to /etc/univention/ssl/ucsCA/CAcert.pem inside the container
  • The docker host UCS certificate is copied to /etc/univention/ssl/docker-host-certificate/cert.pem|private.key and /etc/univention/ssl/$FQDN_DOCKER_HOST/cert.pem|private.key
Personal tools