Cool Solution - Creation and management of user and Windows certificates

From Univention Wiki

Revision as of 14:39, 26 February 2015 by Birkefeld (talk | contribs) (fixed little mistake in the order of operations →‎Managing user certificates)
Jump to: navigation, search
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Users within the UCS domain can be supplied with a custom certificate using the UMC. The private and public part of the certificate will be stored at the respective Server, while the public part will be also imported into the LDAP. The certificates can then be used for authentication or signing E-Mails.

This documentation supports you installing the user certificate extension on your system and creating individual certificates for users. Certificates are created as DER and PEM files.


The software can only be installed and used on a UCS Master. To install the packages, that provide the creation of user certificates, you need to enable the Cool Solution repository.

Next, you must install the package univention-ldap-usercert on the DC-Master and all DC-Backups using either the UMC module Package management or invoke the following console command:

univention-install univention-ldap-usercert

Additionally you must install the packages univention-usercert on the Server, that should create the Certificates. Again you can either use the UMC module Package management or the command line:

univention-install univention-usercert

During the installation, new UCR variables will be created (see below) and the Univention directory listener daemon will be restarted.

Managing user certificates

To create a user certificate, open the [Options] tab in the user's LDAP object and tick "Public key infrastructure account". Now save the user object. Afterwards open the user and switch to the User Certificate tab and tick "Create/Revoke User Certificate". Upon saving, the certificate is created and saved in the directory provided in ssl/usercert/certpath in a subdirectory with the user's UID. By default, only the user itself and the group entered in ssl/usercert/admingroup have read permission on the files. It is recommended to create a Samba share of the folder containing the certificates, so users can access them remotely.

Note: Optionally, the standard valid time of the certificate can be overwritten here. If the field is left blank, the standard valid time from the UCR variable ssl/usercert/days will be used.

When a certificate is to be revoked, it is sufficient to untick "Create/Revoke User Certificate", the certificate files are not deleted. If the UCS Root CA was used to sign the user's certificate, an entry is made into /etc/univention/ssl/ucsCA/crl/.

When a certificate needs to be renewed, it is sufficient to tick "Renew User Certificate" and save the changes made. The old certificate will then be revoked and a new one will be created with the settings from the former certificate.

UCR variables and their functionality

During the installation, several new UR variables will be created. They are as follows:

UCR variable Default value Description
ssl/usercert/default/country Defaults to Root CA's country By default, no LDAP mapping exists for this variable, the value from ssl/country will be used.
ssl/usercert/default/email Defaults to Root CA's e-mail address By default, no LDAP mapping exists for this variable, the value from ssl/email will be used.
ssl/usercert/default/locality Defaults to Root CA's location By default, no LDAP mapping exists for this variable, the value from ssl/locality will be used.
ssl/usercert/default/organization Defaults to Root CA's organization By default, no LDAP mapping exists for this variable, the value from ssl/organization will be used.
ssl/usercert/default/organizationalunit Defaults to Root CA's business unit By default, no LDAP mapping exists for this variable, the value from ssl/organizationalunit will be used.
ssl/usercert/default/state Defaults to Root CA's state By default, no LDAP mapping exists for this variable, the value from ssl/state will be used.
ssl/usercert/certpath /etc/univention/ssl/user Default path where the user certificates are saved in a UID labeled subdirectory.
ssl/usercert/admingroup Domain Admins Besides the owner of the certificate, this group has read permissions on the certificate files.
ssl/usercert/days 1825 Default time that a certificate is valid. Can be overwritten in the user's UMC object.
ssl/usercert/ca ucsCA Folder where the Root CA files are stored (located in ssl/usercert/sslbase).
ssl/usercert/sslbase /etc/univention/ssl/ SSL root directory.
ssl/usercert/ldapimport yes If set to yes/true, the public certificate is imported into the LDAP.
ssl/usercert/scripts no If set to yes/true, scripts located in /usr/lib/univention-ssl-usercert/ are executed by runparts upon creation, revocation and renewal of certificates.
ssl/usercert/certldapmapping/cn uid Maps, which identifier from the user's CN is mapped with the user certificate.
ssl/usercert/certldapmapping/email mailPrimaryAddress Maps, which e-mail address is mapped with the user certificate.
ssl/usercert/certldapmapping/organization o Default value where the mapping takes place in the LDAP
ssl/usercert/certldapmapping/locality l Default value where the mapping takes place in the LDAP
Personal tools