Difference between revisions of "App Certificates"

From Univention Wiki

Jump to: navigation, search
(Link to new documentation)
 
Line 1: Line 1:
[[Category:App Center Developer Guide]]
+
#REDIRECT [[App Center Developer Guide]]
 
 
UCS provides a certificate infrastructure secure communication protocols (see [http://docs.software-univention.de/manual-4.3.html#domain:ssl])
 
 
 
Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3-0 errata91 the Univention App Center provides a simple way to manage certificates inside an App.
 
 
 
This is simply a new action called '''update-certificates''' in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates.
 
 
 
== When is update-certificates called? ==
 
 
 
'''update_certificates''' is automatically called during the installation and upgrade of an App. But it can be called any time on the command line with:
 
<pre>
 
# update all apps
 
-> univention-app update-certificates
 
 
 
# update app "my-app"
 
-> univention-app update-certificates my-app
 
</pre>
 
 
 
== What is being done in update-certificates? ==
 
 
 
=== All Apps ===
 
 
 
* Every App can define a '''update_certificates''' script
 
* This script is executed on the UCS system (the docker Host) upon the App Center's ''update-certificates''
 
 
 
'''Example:'''
 
<pre>
 
#!/bin/bash
 
# cat the UCS root CA to the App's root CA chain
 
cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/my-app/ca-bundle.crt
 
service my-app-daemon restart
 
</pre>
 
 
 
=== Docker/Container Apps ===
 
 
 
* The UCS root CA certificate is copied to ''/usr/local/share/ca-certificates/ucs.crt'' inside the container
 
* ''update-ca-certificates'' is executed inside the container (if existing)
 
* The UCS root CA certificate is copied to ''/etc/univention/ssl/ucsCA/CAcert.pem'' inside the container
 
* The docker host UCS certificate is copied to ''/etc/univention/ssl/docker-host-certificate/{cert.pem,private.key}'' and ''/etc/univention/ssl/$FQDN_DOCKER_HOST/{cert.pem,private.key}''
 

Latest revision as of 14:13, 27 August 2018

Personal tools