Bug 42285 - Create PKCS12 file with host certificate and private key (.pfx, .p12)
Create PKCS12 file with host certificate and private key (.pfx, .p12)
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.4
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-06 13:01 CEST by Sönke Schwardt-Krummrich
Modified: 2019-11-11 11:41 CET (History)
5 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2016-09-06 13:01:56 CEST
The listener module gencertificate.py in univention-ssl generates a SSL certificate for each host object defined by the objectclasses specified in UCR variable "ssl/host/objectclass".

By default, ssl/host/objectclass is set to "univentionDomainController,univentionMemberServer,univentionClient,univentionMobileClient,univentionCorporateClient".

Customers are able to add additional objectclasses like "univentionWindows" for creating host certificates also for Windows systems. For Windows the file format PKCS12 is easier to import.

So something like

openssl pkcs12 -export -in "$name/cert.pem" -inkey "$name/private.key" -out
"$name/cert.p12" -clcerts -passout pass:""

should be executed to convert the PEM cert into a PKCS12 cert.

Maybe by adding a postrun command.
Comment 1 Philipp Hahn univentionstaff 2016-09-06 13:49:56 CEST
The is the user-cert extension, which already does that: univention-00000-intern.cool-solution/univention-usercert/manageusercertificate.py
Comment 2 Jens Thorp-Hansen univentionstaff 2016-09-12 13:34:24 CEST
customer input: (Ticket#2016090621000351)

--- /usr/share/univention-ssl/make-certificates.sh.orig 2016-09-06 12:03:32.295784735 +0200
+++ /usr/share/univention-ssl/make-certificates.sh      2016-09-06 11:11:35.333833060 +0200
@@ -427,6 +427,7 @@
                openssl ca -batch -config "${SSLBASE}/openssl.cnf" -days $days -in "$name/req.pem" \
                        -out "$name/cert.pem" -passin pass:"$PASSWD"
        fi
+       openssl pkcs12 -export -in "$name/cert.pem" -inkey "$name/private.key" -out "$name/cert.p12" -clcerts -passout pass:"" || true
 
        # move the new certificate to its place
        move_cert "${SSLBASE}/${CA}/newcerts/"*

Every user gets a p12 cert without passphrase - creating new computers creates new cert, while deleting them deletes the certs. Cert-Renew creates a new P12-cert.

Addendum: if the listener modules remember which objects they can ignore at future transactions (based on ldap-filters) a resync of the module is necessary for it to work properly.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2016-09-13 11:43:17 CEST
(In reply to Philipp Hahn from comment #1)
> The is the user-cert extension, which already does that:
> univention-00000-intern.cool-solution/univention-usercert/
> manageusercertificate.py

Only for users or also for windows hosts?

(In reply to Jens Thorp-Hansen from comment #2)
> Addendum: if the listener modules remember which objects they can ignore at
> future transactions (based on ldap-filters) a resync of the module is
> necessary for it to work properly.

To be more precise:
The listener exactly remembers which objects have been "created" by which listener module. If the LDAP filter for gencertificate.py is changed, "delete" events are only processed by the listener module if the object has already been previously processed by the listener module (i.e. the "add" event has been processed).
Comment 4 Stefan Gohmann univentionstaff 2019-01-03 07:23:48 CET
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2019-01-09 10:25:45 CET
Still valid and requested issue.
Comment 6 Philipp Hahn univentionstaff 2019-11-11 11:20:52 CET
The PKCS12 file is also required when creating a Java Key Store (JKS).