Difference between revisions of "App Certificates"
From Univention Wiki
m (Botner moved page Docker Apps/Certificates to App Certificates: naming) |
m |
||
Line 1: | Line 1: | ||
[[Category:App Center Developer Guide]] | [[Category:App Center Developer Guide]] | ||
− | + | ||
+ | Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Staring with UCS 4.3 erratum 91 the Univention App Center provides a simple way to manage certificates inside an App. | ||
+ | |||
+ | The new App Center command is called '''update-certificates''' and should | ||
+ | |||
+ | == When is update-certificates called? == | ||
+ | |||
+ | '''update_certificates''' is automatically called during the installation and update of an App. But it can be called any time on the command line with: | ||
+ | <pre> | ||
+ | # update all apps | ||
+ | -> univention-app update-certificates | ||
+ | |||
+ | # update app "abc" | ||
+ | -> univention-app update-certificates abc | ||
+ | </pre> | ||
+ | |||
+ | == What is being done in update-certificates? == | ||
+ | |||
+ | === All Apps === | ||
+ | |||
+ | Every App can define a '''update_certificates''' script. This script is executed on the UCS system (the docker Host) upon the App Center ''update-certificates''' | ||
+ | |||
+ | === Docker/Container Apps === | ||
+ | |||
+ | Additionally the following steps executed for container Apps: | ||
+ | * The UCS root CA certificate is copied to ''/usr/local/share/ca-certificates/ucs.crt'' inside the container | ||
+ | * ''update-ca-certificates'' is executed inside the container (if existing) | ||
+ | * The UCS root CA certificate is copied to ''/etc/univention/ssl/ucsCA/CAcert.pem'' inside the container | ||
+ | * The docker host UCS certificate is copied to ''/etc/univention/ssl/docker-host-certificate/cert.pem|private.key'' and ''/etc/univention/ssl/$FQDN_DOCKER_HOST/cert.pem|private.key'' |
Revision as of 11:51, 21 June 2018
Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Staring with UCS 4.3 erratum 91 the Univention App Center provides a simple way to manage certificates inside an App.
The new App Center command is called update-certificates and should
Contents
When is update-certificates called?
update_certificates is automatically called during the installation and update of an App. But it can be called any time on the command line with:
# update all apps -> univention-app update-certificates # update app "abc" -> univention-app update-certificates abc
What is being done in update-certificates?
All Apps
Every App can define a update_certificates' script. This script is executed on the UCS system (the docker Host) upon the App Center update-certificates
Docker/Container Apps
Additionally the following steps executed for container Apps:
- The UCS root CA certificate is copied to /usr/local/share/ca-certificates/ucs.crt inside the container
- update-ca-certificates is executed inside the container (if existing)
- The UCS root CA certificate is copied to /etc/univention/ssl/ucsCA/CAcert.pem inside the container
- The docker host UCS certificate is copied to /etc/univention/ssl/docker-host-certificate/cert.pem|private.key and /etc/univention/ssl/$FQDN_DOCKER_HOST/cert.pem|private.key