Univention Bugzilla – Bug 45435
No longer keep /etc/univention/ssl/$HOST certificates on Master/Backups
Last modified: 2022-04-25 14:58:17 CEST
Currently the SSL certificate is generated on the Master when a new host joins the domain. A "backup" is kept in /etc/univention/ssl/, which contains all *private* keys of *all* hosts. This is a (needless) security risk. - the host should create its key itself and keep it for himself - the host creates a CSR and send that to the Master - the Master creates a certificate and sends that back to the host - the host stores the certificate next to its key - the host must also keep the certificate of the CA to verify other certificates No other hosts needs to fetch a certificate directly from the Master/Backups, as the certificate is presented by the host itself when a SSL/TLS channel is created. It's signed by the same CA. If ever the host is compromised or needs a re-join, its easier to revoke the old certificate and create a new one on the Master. This has the benefit, that the validity duration gets reset and any other changes to default hash algorithms are also picked up automatically.