Cool Solution - Creation and management of user and Windows certificates
From Univention Wiki
Users within the UCS domain can be supplied with a custom certificate using the UMC. The private and public part of the certificate will be stored at the respective Server, while the public part will be also imported into the LDAP. The certificates can then be used for authentication or signing E-Mails.
This documentation supports you installing the user certificate extension on your system and creating individual certificates for users. Certificates are created as DER and PEM files.
The software can only be installed and used on a UCS Master. To install the packages, that provide the creation of user certificates, you need to enable the Cool Solution repository.
Next, you must install the package univention-ldap-usercert on the DC-Master and all DC-Backups using either the UMC module Package management or invoke the following console command:
Additionally you must install the packages univention-usercert on the Server, that should create the Certificates. Again you can either use the UMC module Package management or the command line:
During the installation, new UCR variables will be created (see below) and the Univention directory listener daemon will be restarted.
Managing user certificates
To create a user certificate, open the [Options] tab in the user's LDAP object and tick "Public key infrastructure account". Now save the user object. Afterwards open the user and switch to the User Certificate tab and tick "Create/Revoke User Certificate". Upon saving, the certificate is created and saved in the directory provided in ssl/usercert/certpath in a subdirectory with the user's UID. By default, only the user itself and the group entered in ssl/usercert/admingroup have read permission on the files. It is recommended to create a Samba share of the folder containing the certificates, so users can access them remotely.
Note: Optionally, the standard valid time of the certificate can be overwritten here. If the field is left blank, the standard valid time from the UCR variable ssl/usercert/days will be used.
When a certificate is to be revoked, it is sufficient to untick "Create/Revoke User Certificate", the certificate files are not deleted. If the UCS Root CA was used to sign the user's certificate, an entry is made into /etc/univention/ssl/ucsCA/crl/.
When a certificate needs to be renewed, it is sufficient to tick "Renew User Certificate" and save the changes made. The old certificate will then be revoked and a new one will be created with the settings from the former certificate.
UCR variables and their functionality
During the installation, several new UR variables will be created. They are as follows:
|UCR variable||Default value||Description|
|ssl/usercert/default/country||Defaults to Root CA's country||By default, no LDAP mapping exists for this variable, the value from ssl/country will be used.|
|ssl/usercert/default/email||Defaults to Root CA's e-mail address||By default, no LDAP mapping exists for this variable, the value from ssl/email will be used.|
|ssl/usercert/default/locality||Defaults to Root CA's location||By default, no LDAP mapping exists for this variable, the value from ssl/locality will be used.|
|ssl/usercert/default/organization||Defaults to Root CA's organization||By default, no LDAP mapping exists for this variable, the value from ssl/organization will be used.|
|ssl/usercert/default/organizationalunit||Defaults to Root CA's business unit||By default, no LDAP mapping exists for this variable, the value from ssl/organizationalunit will be used.|
|ssl/usercert/default/state||Defaults to Root CA's state||By default, no LDAP mapping exists for this variable, the value from ssl/state will be used.|
|ssl/usercert/certpath||/etc/univention/ssl/user||Default path where the user certificates are saved in a UID labeled subdirectory.|
|ssl/usercert/admingroup||Domain Admins||Besides the owner of the certificate, this group has read permissions on the certificate files.|
|ssl/usercert/days||1825||Default time that a certificate is valid. Can be overwritten in the user's UMC object.|
|ssl/usercert/ca||ucsCA||Folder where the Root CA files are stored (located in ssl/usercert/sslbase).|
|ssl/usercert/sslbase||/etc/univention/ssl/||SSL root directory.|
|ssl/usercert/ldapimport||yes||If set to yes/true, the public certificate is imported into the LDAP.|
|ssl/usercert/scripts||no||If set to yes/true, scripts located in /usr/lib/univention-ssl-usercert/ are executed by runparts upon creation, revocation and renewal of certificates.|
|ssl/usercert/certldapmapping/cn||uid||Maps, which identifier from the user's CN is mapped with the user certificate.|
|ssl/usercert/certldapmapping/email||mailPrimaryAddress||Maps, which e-mail address is mapped with the user certificate.|
|ssl/usercert/certldapmapping/organization||o||Default value where the mapping takes place in the LDAP|
|ssl/usercert/certldapmapping/locality||l||Default value where the mapping takes place in the LDAP|