App Certificates

From Univention Wiki

Revision as of 08:22, 4 July 2018 by Wiesenthal (talk | contribs)
Jump to: navigation, search

UCS provides a certificate infrastructure secure communication protocols (see [1])

Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3-0 errata91 the Univention App Center provides a simple way to manage certificates inside an App.

This is simply a new action called update-certificates in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates.

When is update-certificates called?

update_certificates is automatically called during the installation and upgrade of an App. But it can be called any time on the command line with:

# update all apps
-> univention-app update-certificates

# update app "my-app"
-> univention-app update-certificates my-app

What is being done in update-certificates?

All Apps

  • Every App can define a update_certificates script
  • This script is executed on the UCS system (the docker Host) upon the App Center's update-certificates


# cat the UCS root CA to the App's root CA chain
cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/my-app/ca-bundle.crt
service my-app-daemon restart

Docker/Container Apps

  • The UCS root CA certificate is copied to /usr/local/share/ca-certificates/ucs.crt inside the container
  • update-ca-certificates is executed inside the container (if existing)
  • The UCS root CA certificate is copied to /etc/univention/ssl/ucsCA/CAcert.pem inside the container
  • The docker host UCS certificate is copied to /etc/univention/ssl/docker-host-certificate/{cert.pem,private.key} and /etc/univention/ssl/$FQDN_DOCKER_HOST/{cert.pem,private.key}
Personal tools