App Certificates

UCS provides a certificate infrastructure secure communication protocols (see [1])

Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3-0 errata91 the Univention App Center provides a simple way to manage certificates inside an App.

This is simply a new action called update-certificates in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates.

When is update-certificates called?

update_certificates is automatically called during the installation and upgrade of an App. But it can be called any time on the command line with:

# update all apps
-> univention-app update-certificates

# update app "my-app"
-> univention-app update-certificates my-app

What is being done in update-certificates?

All Apps

• Every App can define a update_certificates script
• This script is executed on the UCS system (the docker Host) upon the App Center's update-certificates

Example:

#!/bin/bash
# cat the UCS root CA to the App's root CA chain
cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/my-app/ca-bundle.crt
service my-app-daemon restart

Docker/Container Apps

• The UCS root CA certificate is copied to /usr/local/share/ca-certificates/ucs.crt inside the container
• update-ca-certificates is executed inside the container (if existing)
• The UCS root CA certificate is copied to /etc/univention/ssl/ucsCA/CAcert.pem inside the container
• The docker host UCS certificate is copied to /etc/univention/ssl/docker-host-certificate/{cert.pem,private.key} and /etc/univention/ssl/$FQDN_DOCKER_HOST/{cert.pem,private.key}