Difference between revisions of "Cool Solution - Creation and management of user and Windows certificates"

From Univention Wiki

Jump to: navigation, search
(fixed installation description, set article as reviewed)
Line 1: Line 1:
 
{{Cool Solutions Disclaimer|Repository=yes|UCS=4.0}}
 
{{Cool Solutions Disclaimer|Repository=yes|UCS=4.0}}
{{Review-Status}}
 
  
 
Users and Windows computers within the UCS domain can be supplied with a custom certificate using the UMC. The private and public part of the certificate will be stored at the respective server, while the public part will be also imported into the LDAP. The certificates can then be used for authentication or signing e-mails, or securing connections to the Windows computer.
 
Users and Windows computers within the UCS domain can be supplied with a custom certificate using the UMC. The private and public part of the certificate will be stored at the respective server, while the public part will be also imported into the LDAP. The certificates can then be used for authentication or signing e-mails, or securing connections to the Windows computer.
Line 15: Line 14:
 
</pre>
 
</pre>
  
Additionally you must install the packages '''univention-usercert''' on the server that should create the certificates. Again you can either use the UMC module '''Package management''' or the command line:
+
Additionally you must install the packages '''univention-usercert''' and '''univention-windowscert''' on the DC Master. Again you can either use the UMC module '''Package management''' or the command line:
  
 
<pre>
 
<pre>
univention-install univention-usercert
+
univention-install univention-usercert univention-windowscert
</pre>
 
 
 
Additionally you must install the packages '''univention-windowscert''' on the server that should create the certificates. Again you can either use the UMC module '''Package management''' or the command line:
 
 
 
<pre>
 
univention-install univention-windowscert
 
 
</pre>
 
</pre>
  

Revision as of 13:33, 19 June 2015

Produktlogo UCS Version 4.0

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.


Users and Windows computers within the UCS domain can be supplied with a custom certificate using the UMC. The private and public part of the certificate will be stored at the respective server, while the public part will be also imported into the LDAP. The certificates can then be used for authentication or signing e-mails, or securing connections to the Windows computer.

This documentation supports you installing the user certificate extension on your system and creating individual certificates for users. Certificates are created as DER and PEM files.

Installation

The software can only be installed and used on a UCS Master. To install the packages, that provide the creation of user certificates, you need to enable the Cool Solution repository.

Next, you must install the package univention-ldap-usercert on the DC Master server and all DC Backup servers using either the UMC module Package management or invoke the following console command:

univention-install univention-ldap-usercert

Additionally you must install the packages univention-usercert and univention-windowscert on the DC Master. Again you can either use the UMC module Package management or the command line:

univention-install univention-usercert univention-windowscert

During the installation, new UCR variables will be created (see below) and the Univention directory listener daemon will be restarted.

If not run automatically, check if joinscripts must be executed.

Managing user certificates

To create a user certificate, open the [Options] tab in the user's LDAP object and select "Public key infrastructure account".

Enable "Public key infrastructure account"

Now save the and reopen the user object and switch to the User Certificate tab and select "Create/Revoke User Certificate".

Create the user certificate

When saving, the certificate is created and saved in the directory provided in ssl/usercert/certpath in a subdirectory with the user's UID. By default, only the user itself and the group entered in ssl/usercert/admingroup have read permission on the files. It is recommended to create a Samba share of the folder containing the certificates, so users can access them remotely.

Note: Optionally, the standard valid time of the certificate can be overwritten here. If the field is left blank, the standard valid time from the UCR variable ssl/usercert/days will be used.

When a certificate is to be revoked, it is sufficient to untick "Create/Revoke User Certificate", the certificate files are not deleted. If the UCS root CA was used to sign the user's certificate, an entry is made into /etc/univention/ssl/ucsCA/crl/.

When a certificate needs to be renewed, it is sufficient to tick "Renew User Certificate" and save the changes made. The old certificate will then be revoked and a new one will be created with the settings from the former certificate.

Managing computer certificates

To create a computer certificate, open the Certificate tab on the computer's LDAP option and select "Create/Revoke Certificate".

Create the computer certificate

When a certificate is to be revoked, it is sufficient to untick "Create/Revoke Certificate", the certificate files are not deleted. If the UCS root CA was used to sign the computer's certificate, an entry is made into /etc/univention/ssl/ucsCA/crl/.

When a certificate needs to be renewed, it is sufficient to tick "Renew Certificate" and save the changes made. The old certificate will then be revoked and a new one will be created with the settings from the former certificate.

UCR variables and their functionality

During the installation, several new UCR variables will be created. They are as follows:

UCR variable Default value Description
User certificate
ssl/usercert/UID/extensionsfile <empty> Apply the custom settings only to users named here.
ssl/usercert/admingroup Domain Admins Besides the owner of the certificate, this group has read permissions on the certificate files.
ssl/usercert/ca ucsCA Folder where the Root CA files are stored (located in ssl/usercert/sslbase).
ssl/usercert/certldapmapping/cn uid Maps, which identifier from the user's CN is mapped with the user certificate.
ssl/usercert/certldapmapping/email mailPrimaryAddress Maps, which e-mail address is mapped with the user certificate.
ssl/usercert/certldapmapping/locality l Maps, which location is mapped with the user certificate.
ssl/usercert/certldapmapping/organization o Maps, which organization is mapped with the user certificate.
ssl/usercert/certldapmapping/organizationalunit <empty> Maps, which business unit is mapped with the user certificate.
ssl/usercert/certldapmapping/state <empty> Maps, which state is mapped with the user certificate.
ssl/usercert/certpath /etc/univention/ssl/user Default path where the user certificates are saved in a UID labeled subdirectory.
ssl/usercert/days 1825 Default time that a certificate is valid. Can be overwritten in the user's UMC object.
ssl/usercert/default/country Defaults to Root CA's country By default, no LDAP mapping exists for this variable, the value from ssl/country will be used.
ssl/usercert/default/email Defaults to Root CA's e-mail By default, no LDAP mapping exists for this variable, the value from ssl/email will be used.
ssl/usercert/default/locality Defaults to Root CA's location By default, no LDAP mapping exists for this variable, the value from ssl/locality will be used.
ssl/usercert/default/organization Defaults to Root CA's organization By default, no LDAP mapping exists for this variable, the value from ssl/organization will be used.
ssl/usercert/default/organizationalunit Defaults to Root CA's business unit By default, no LDAP mapping exists for this variable, the value from ssl/organizationalunit will be used.
ssl/usercert/default/state Defaults to Root CA's state By default, no LDAP mapping exists for this variable, the value from ssl/state will be used.
ssl/usercert/extensionsfile <empty> Overwrite the defaul openSSL settings with custom settings.
ssl/usercert/ldapimport yes If set to yes/true, the public certificate is imported into the LDAP.
ssl/usercert/passwordchars <empty> Any number can be entered here to specify the password length.
ssl/usercert/pkcs12/chain yes Whether the PKCS12 chain is saved in the certificate.
ssl/usercert/sslbase /etc/univention/ssl/ SSL root directory.
Windows certificate
ssl/windowscert/UID/extensionsfile <empty> Apply the custom settings only to computers named here.
ssl/windowscert/admingroup Domain Admins Besides the owner of the certificate, this group has read permissions on the certificate files.
ssl/windowscert/ca ucsCA Certificate to sign the computer certificate with.
ssl/windowscert/certldapmapping/cn cn Maps, which identifier from the computer's CN is mapped with the computer certificate.
ssl/windowscert/certldapmapping/email <empty> Maps, which e-mail address is mapped with the computer certificate.
ssl/windowscert/certldapmapping/locality <empty> Maps, which location is mapped with the user certificate.
ssl/windowscert/certldapmapping/organization <empty> Maps, which organization is mapped with the user certificate.
ssl/windowscert/certldapmapping/organizationalunit <empty> Maps, which business unit is mapped with the user certificate.
ssl/windowscert/certldapmapping/state <empty> Maps, which state is mapped with the user certificate.
ssl/windowscert/certpath /etc/univention/ssl/windows-hosts Path where the certificates are saved. Only the computer account and the group in ssl/windowscert/admingroup can access this directory.
ssl/windowscert/days 1825 Default time that a certificate is valid. Can be overwritten in the computers's UMC object.
ssl/windowscert/extensionsfile <empty> Overwrite the defaul openSSL settings with custom settings.
ssl/windowscert/ldapimport yes Whether the public certificate should be imported automatically.
ssl/windowscert/passwordchars <empty> Any number can be entered here to specify the password length.
ssl/windowscert/pkcs12/chain yes Whether the PKCS12 chain is saved in the certificate.
ssl/windowscert/sslbase /etc/univention/ssl/ Base directory where all SSL certificates are saved.
Personal tools