Univention Bugzilla – Bug 42285
Create PKCS12 file with host certificate and private key (.pfx, .p12)
Last modified: 2019-11-11 11:41:18 CET
The listener module gencertificate.py in univention-ssl generates a SSL certificate for each host object defined by the objectclasses specified in UCR variable "ssl/host/objectclass". By default, ssl/host/objectclass is set to "univentionDomainController,univentionMemberServer,univentionClient,univentionMobileClient,univentionCorporateClient". Customers are able to add additional objectclasses like "univentionWindows" for creating host certificates also for Windows systems. For Windows the file format PKCS12 is easier to import. So something like openssl pkcs12 -export -in "$name/cert.pem" -inkey "$name/private.key" -out "$name/cert.p12" -clcerts -passout pass:"" should be executed to convert the PEM cert into a PKCS12 cert. Maybe by adding a postrun command.
The is the user-cert extension, which already does that: univention-00000-intern.cool-solution/univention-usercert/manageusercertificate.py
customer input: (Ticket#2016090621000351) --- /usr/share/univention-ssl/make-certificates.sh.orig 2016-09-06 12:03:32.295784735 +0200 +++ /usr/share/univention-ssl/make-certificates.sh 2016-09-06 11:11:35.333833060 +0200 @@ -427,6 +427,7 @@ openssl ca -batch -config "${SSLBASE}/openssl.cnf" -days $days -in "$name/req.pem" \ -out "$name/cert.pem" -passin pass:"$PASSWD" fi + openssl pkcs12 -export -in "$name/cert.pem" -inkey "$name/private.key" -out "$name/cert.p12" -clcerts -passout pass:"" || true # move the new certificate to its place move_cert "${SSLBASE}/${CA}/newcerts/"* Every user gets a p12 cert without passphrase - creating new computers creates new cert, while deleting them deletes the certs. Cert-Renew creates a new P12-cert. Addendum: if the listener modules remember which objects they can ignore at future transactions (based on ldap-filters) a resync of the module is necessary for it to work properly.
(In reply to Philipp Hahn from comment #1) > The is the user-cert extension, which already does that: > univention-00000-intern.cool-solution/univention-usercert/ > manageusercertificate.py Only for users or also for windows hosts? (In reply to Jens Thorp-Hansen from comment #2) > Addendum: if the listener modules remember which objects they can ignore at > future transactions (based on ldap-filters) a resync of the module is > necessary for it to work properly. To be more precise: The listener exactly remembers which objects have been "created" by which listener module. If the LDAP filter for gencertificate.py is changed, "delete" events are only processed by the listener module if the object has already been previously processed by the listener module (i.e. the "add" event has been processed).
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Still valid and requested issue.
The PKCS12 file is also required when creating a Java Key Store (JKS).