Difference between revisions of "Cool Solution - Creation and management of user and Windows certificates"

From Univention Wiki

Jump to: navigation, search
(Replaced content with "This page has been moved to the Knowledge Base Cool Solutions in the Forum. [https://help.univention.com/t/cool-solution-creation-and-management-of-user-and-windows-certi...")
Tag: Replaced
 
(27 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Cool Solutions Disclaimer|Repository=yes|UCS=4.0}}
+
This page has been moved to the Knowledge Base Cool Solutions in the Forum.
  
Users and Windows computers within the UCS domain can be supplied with a custom certificate using the UMC. The private and public part of the certificate will be stored in the filesystem of the Domaincontroller Master, while the public part will be also imported into the LDAP. The certificates can then be used for e.g. authentication, signing e-mails, or securing connections to the Windows computer.
+
[https://help.univention.com/t/cool-solution-creation-and-management-of-user-and-windows-certificates/ Cool Solution - Creation and management of user and Windows certificates]
  
This documentation guide you through the installation of the user and windows certificate extension on your system and creating individual certificates. Certificates are created as DER and PEM files.
+
[[Category:EN]]
 
+
[[Category:Howtos]]
== Installation ==
 
 
 
The software is designed to operate on the UCS DC Master. To install the packages you need to enable the [[:Category:Cool_Solutions_Repository|Cool Solution repository]] at first.
 
 
 
Next, you must install the package '''univention-ldap-usercert''' on the DC Master server and should install the package on every additional DC Backup servers. This can be achieved by using either the UMC module '''Package management''' or invoke the following command:
 
 
 
<pre>
 
univention-install univention-ldap-usercert
 
</pre>
 
 
 
Additionally you must install the packages '''univention-usercert''' on the DC Master. Optionally, you can also install '''univention-windowscert''' for the creation of certificates for windows clients. Again you can either use the UMC module '''Package management''' or the command line:
 
 
 
<pre>
 
univention-install univention-usercert univention-windowscert
 
</pre>
 
 
 
During the installation, new UCR variables will be created (see below) and the Univention directory listener daemon will be restarted.
 
 
 
If not run automatically, check if joinscripts must be executed.
 
 
 
== Managing user certificates ==
 
To create a user certificate, open the '''[Options]''' tab in the user's LDAP object and select '''"Public key infrastructure account"'''.
 
[[File:Enable_user_certificate.png|thumb|Enable "Public key infrastructure account"]]
 
 
 
Now save and reopen the user object and switch to the '''User Certificate''' tab and select '''"Create/Revoke User Certificate"'''.
 
[[File:Create_user_certificate.png|thumb|Create the user certificate]]
 
 
 
When saving, the certificate is created and saved in the directory provided in '''ssl/usercert/certpath''' in a subdirectory with the user's UID. By default, only the user itself and the group entered in '''ssl/usercert/admingroup''' have read permission on the files. It is recommended to create a file share of the folder containing the certificates, so users can access them remotely.
 
 
 
'''Note:''' Optionally, the standard valid time of the certificate can be overwritten here. If the field is left blank, the standard valid time from the UCR variable '''ssl/usercert/days''' will be used.
 
 
 
When a certificate is to be revoked, it is sufficient to untick "Create/Revoke User Certificate". The certificate files are removed from the LDAP, but not deleted from the filesystem. If the UCS root CA was used to sign the user's certificate, an entry is made into the Certificate Revocation List specified by '''/etc/univention/ssl/ucsCA/crl/'''.
 
 
 
When a certificate needs to be renewed, it is sufficient to tick '''"Renew User Certificate"''' and save the changes made. The old certificate will then be revoked and a new one will be created with the settings from the former certificate.
 
 
 
== Managing windows computer certificates ==
 
To create a computer certificate, open the '''Certificate''' tab on the computer's LDAP option and select '''"Create/Revoke Certificate"'''.
 
[[File:Create_computer_certificate.png|thumb|Create the computer certificate]]
 
 
 
When a certificate is to be revoked, it is sufficient to untick "Create/Revoke Certificate". The certificate files are removed from the LDAP, but not deleted from the filesystem. If the UCS root CA was used to sign the computer's certificate, an entry is made into the Certificate Revocation List specified by '''/etc/univention/ssl/ucsCA/crl/'''.
 
 
 
When a certificate needs to be renewed, it is sufficient to tick '''"Renew Certificate"''' and save the changes made. The old certificate will then be revoked and a new one will be created with the settings from the former certificate.
 
 
 
== Convert certificates ==
 
It is also possible to upload certificates for users and windows computers in the UMC. In this case, the certificates have to be DER encoded before the upload. If you have a PEM encoded certificate, you can convert your certificate to DER with <code>openssl</code> on the commadline:
 
 
 
<pre>openssl x509 -in /path/to/certificate.PEM -out /path/to/certificate.DER -outform DER</pre>
 
 
 
== UCR variables and their functionality ==
 
During the installation, several new UCR variables will be created. They are as follows:
 
 
 
{|class="wikitable"
 
!UCR variable                                      || Default value                          || Description
 
|-
 
!colspan="3" | User certificate
 
|-
 
|ssl/usercert/UID/extensionsfile                    || <empty>                                || Apply the custom settings only to users named here.
 
|-
 
|ssl/usercert/admingroup                            || DC Backup Hosts                        || Besides the owner of the certificate, this group has read permissions on the certificate files.
 
|-
 
|ssl/usercert/ca                                    || ucsCA                                  || Folder where the Root CA files are stored (located in ssl/usercert/sslbase).
 
|-
 
|ssl/usercert/certldapmapping/cn                    || uid                                    || Maps, which identifier from the user's CN is mapped with the user certificate.
 
|-
 
|ssl/usercert/certldapmapping/email                || mailPrimaryAddress                    || Maps, which e-mail address is mapped with the user certificate.
 
|-
 
|ssl/usercert/certldapmapping/locality              || l                                      || Maps, which location is mapped with the user certificate.
 
|-
 
|ssl/usercert/certldapmapping/organization          || o                                      || Maps, which organization is mapped with the user certificate.
 
|-
 
|ssl/usercert/certldapmapping/organizationalunit    || <empty>                                || Maps, which business unit is mapped with the user certificate.
 
|-
 
|ssl/usercert/certldapmapping/state                || <empty>                                || Maps, which state is mapped with the user certificate.
 
|-
 
|ssl/usercert/certpath                              || /etc/univention/ssl/user              || Default path where the user certificates are saved in a UID labeled subdirectory.
 
|-
 
|ssl/usercert/days                                  || 1825                                  || Default time that a certificate is valid. Can be overwritten in the user's UMC object.
 
|-
 
|ssl/usercert/default/country                      || Defaults to Root CA's country          || By default, no LDAP mapping exists for this variable, the value from ssl/country will be used.
 
|-
 
|ssl/usercert/default/email                        || Defaults to Root CA's e-mail          || By default, no LDAP mapping exists for this variable, the value from ssl/email will be used.
 
|-
 
|ssl/usercert/default/locality                      || Defaults to Root CA's location        || By default, no LDAP mapping exists for this variable, the value from ssl/locality will be used.
 
|-
 
|ssl/usercert/default/organization                  || Defaults to Root CA's organization    || By default, no LDAP mapping exists for this variable, the value from ssl/organization will be used.
 
|-
 
|ssl/usercert/default/organizationalunit            || Defaults to Root CA's business unit    || By default, no LDAP mapping exists for this variable, the value from ssl/organizationalunit will be used.
 
|-
 
|ssl/usercert/default/state                        || Defaults to Root CA's state            || By default, no LDAP mapping exists for this variable, the value from ssl/state will be used.
 
|-
 
|ssl/usercert/extensionsfile                        || <empty>                                || Overwrite the default openSSL settings with custom settings.
 
|-
 
|ssl/usercert/ldapimport                            || yes                                    || If set to yes/true, the public certificate is imported into the LDAP.
 
|-
 
|ssl/usercert/passwordchars                        || <empty>                                || Any number can be entered here to specify the password length.
 
|-
 
|ssl/usercert/pkcs12/chain                          || yes                                    || Whether the PKCS12 chain is saved in the certificate.
 
|-
 
<!--|ssl/usercert/scripts                              || no                                  || If set to yes/true, scripts located in /usr/lib/univention-ssl-usercert/ are executed by runparts upon creation, revocation and renewal of certificates.
 
|- -->
 
|ssl/usercert/sslbase                              || /etc/univention/ssl/                  || SSL root directory.
 
|-
 
!colspan="3" | Windows certificate
 
|-
 
|ssl/windowscert/UID/extensionsfile                || <empty>                                || Apply the custom settings only to computers named here.
 
|-
 
|ssl/windowscert/admingroup                        || DC Backup Hosts                        || Besides the owner of the certificate, this group has read permissions on the certificate files.
 
|-
 
|ssl/windowscert/ca                                || ucsCA                                  || Certificate to sign the computer certificate with.
 
|-
 
|ssl/windowscert/certldapmapping/cn                || cn                                    || Maps, which identifier from the computer's CN is mapped with the computer certificate.
 
|-
 
|ssl/windowscert/certldapmapping/email              || <empty>                                || Maps, which e-mail address is mapped with the computer certificate.
 
|-
 
|ssl/windowscert/certldapmapping/locality          || <empty>                                || Maps, which location is mapped with the user certificate.
 
|-
 
|ssl/windowscert/certldapmapping/organization      || <empty>                                || Maps, which organization is mapped with the user certificate.
 
|-
 
|ssl/windowscert/certldapmapping/organizationalunit || <empty>                                || Maps, which business unit is mapped with the user certificate.
 
|-
 
|ssl/windowscert/certldapmapping/state              || <empty>                                || Maps, which state is mapped with the user certificate.
 
|-
 
|ssl/windowscert/certpath                          || /etc/univention/ssl/windows-hosts      || Path where the certificates are saved. Only the computer account and the group in '''ssl/windowscert/admingroup''' can access this directory.
 
|-
 
|ssl/windowscert/days                              || 1825                                  || Default time that a certificate is valid. Can be overwritten in the computers's UMC object.
 
|-
 
|ssl/windowscert/extensionsfile                    || <empty>                                || Overwrite the default openSSL settings with custom settings.
 
|-
 
|ssl/windowscert/ldapimport                        || yes                                    || Whether the public certificate should be imported automatically.
 
|-
 
|ssl/windowscert/passwordchars                      || <empty>                                || Any number can be entered here to specify the password length.
 
|-
 
|ssl/windowscert/pkcs12/chain                      || yes                                    || Whether the PKCS12 chain is saved in the certificate.
 
|-
 
<!-- |ssl/windowscert/scripts                            || no                                  ||
 
|- -->
 
|ssl/windowscert/sslbase                            || /etc/univention/ssl/                  || Base directory where all SSL certificates are saved.
 
|}
 

Latest revision as of 14:52, 9 April 2019

This page has been moved to the Knowledge Base Cool Solutions in the Forum.

Cool Solution - Creation and management of user and Windows certificates

Personal tools