Bug 22085 - Unterstützung für Certificate Signing Requests
Unterstützung für Certificate Signing Requests
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.1
Other Linux
: P5 enhancement with 4 votes (vote)
: UCS 4.1-4-errata
Assigned To: Felix Botner
Philipp Hahn
: 28487 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2011-04-04 11:01 CEST by Jan Christoph Ebersbach
Modified: 2017-02-15 14:57 CET (History)
6 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Jan Christoph Ebersbach univentionstaff 2011-04-04 11:01:57 CEST
univention-certificate sollte erweitert werden, so dass es neue Zertifikate auch von einem Certificate Signing Request (CSR) erstellen kann. Dies wird benötigt, um externe Geräte, wie Managment Module von Servern, oder auch Benutzerzertifikate besser ein die Zertifikatsinfrastruktur einbinden zu können.

Das neu generierte Zertifikat sollte wie gehabt unter /etc/univention/ssl abgelegt werden.

Folgender Befehl ist momentan manuell auszuführen, um aus einem CRs ein von der CA unterschriebenes Zertifikat zu generieren. Um die richtige Ablage muss sich dabei der Administrator selbst kümmern:

openssl ca -days 730 -config /etc/univention/ssl/openssl.cnf -in req.pem -out cert.pem -passin pass:"$(cat /etc/univention/ssl/password)"
Comment 1 Jan Christoph Ebersbach univentionstaff 2012-01-18 10:50:41 CET
Der Bug besteht auch mit UCS 3.0 noch.
Comment 2 Stephan Hendl 2013-09-20 12:32:59 CEST
Der Bug besteht auch mit UCS 3.1 noch.
Comment 3 Janis Meybohm univentionstaff 2014-09-18 10:39:31 CEST
*** Bug 28487 has been marked as a duplicate of this bug. ***
Comment 4 Felix Botner univentionstaff 2017-01-31 17:01:20 CET
Added univention-certificate sign to sign a csr.
svn diff -r r74971:r76250
 * sign requires the -reguest (csr file) parameter
 * CN is extracted from the csr file
 * gencert is re-used to sign the request (added switch in gencert to either
   create a request or to use a given request file, alternatively we could
   add a new signreq function to make-certificates.sh?) 

Added test tests/test_sign_req and enabled test during built.

Merged to 4.2-0.
Comment 5 Philipp Hahn univentionstaff 2017-02-08 15:59:33 CET
OK: ucs-4.2-0@76256
OK: ucs-4.1-4@76243 YAML
OK: ucs-4.1-4@76244 univention-ssl/
OK: ucs-4.1-4@76246 univention-ssl/debian/
OK: ucs-4.1-4@76247 univention-ssl/debian/
OK: ucs-4.1-4@76248 YAML
OK: ucs-4.1-4@76250 univention-ssl/tests/
OK: ucs-4.1-4@76251 YAML

OK: errata-announce -V --only univention-ssl.yaml
FIXED: univention-ssl.yaml "it's called 'certificate signing request', as it is the request to sign a _certificate_, not the _request_ itself."

 openssl genrsa -rand /dev/urandom -out key.pem 2048
 eval "$(ucr shell '^ssl/[^/]+$')"
 openssl req -new -key key.pem -subj "$SUB" -out req.pem
 univention-certificate sign -request "$PWD/req.pem"
 cmp req.pem /etc/univention/ssl/test22085/req.pem
 openssl x509 -noout -subject -in /etc/univention/ssl/test22085/cert.pem | grep -F "$SUB"

FIXED: Please not that you must specify an absolute path, as "univention-ssl" does a "cd $SSLBASE" very early, so relative paths do not work.
FIXED: quoting inside getcn() is wrong is the file name contains a blank

r76549 | Bug #22085 SSL: Fix sign command

Package: univention-ssl
Version: 11.0.0-3A~
Branch: ucs_4.2-0

r76550 | Bug #22085 SSL: Fix sign command

Package: univention-ssl
Version: 10.0.0-23.180.201702081547
Branch: ucs_4.1-0
Scope: errata4.1-4

r76551 | Bug #22085 SSL: Fix sign command YAML
Comment 6 Janek Walkenhorst univentionstaff 2017-02-15 14:57:38 CET