Description Philipp Hahn 2017-09-22 10:34:34 CEST

Currently the SSL certificate is generated on the Master when a new host joins the domain. A "backup" is kept in /etc/univention/ssl/, which contains all *private* keys of *all* hosts. This is a (needless) security risk.

- the host should create its key itself and keep it for himself
- the host creates a CSR and send that to the Master
- the Master creates a certificate and sends that back to the host
- the host stores the certificate next to its key
- the host must also keep the certificate of the CA to verify other certificates

No other hosts needs to fetch a certificate directly from the Master/Backups, as the certificate is presented by the host itself when a SSL/TLS channel is created. It's signed by the same CA.

If ever the host is compromised or needs a re-join, its easier to revoke the old certificate and create a new one on the Master. This has the benefit, that the validity duration gets reset and any other changes to default hash algorithms are also picked up automatically.