User feedback. User needs nameConstraints and CRLDistribution points with UCS Root CA. --- make-certificates.sh.backup 2019-03-14 16:24:40.448253015 +0100 +++ make-certificates.sh 2019-03-14 16:28:53.281701333 +0100 @@ -49,6 +49,11 @@ : "${DEFAULT_BITS:=2048}" export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS +CRL_DISTRIBUTION_POINTS="$(/usr/sbin/univention-config-registry get ssl/crl/distribution_points)" +if [ -z "$CRL_DISTRIBUTION_POINTS" ]; then + CRL_DISTRIBUTION_POINTS="URI:http://ssl.interne.domain/ucsCA.crl" +fi + if test -e "$SSLBASE/password"; then PASSWD="$(cat "$SSLBASE/password")" else @@ -182,7 +187,7 @@ [ req_attributes ] challengePassword = A challenge password -unstructuredName = Univention GmbH +unstructuredName = Discovergy GmbH [ ${CA}_ext ] @@ -194,6 +199,15 @@ # issuerAltName = issuer:copy # nsCertType = sslCA, emailCA, objCA # nsComment = signed by Univention Corporate Server Root CA +nameConstraints = @name_constraints +crlDistributionPoints = @crl_info + +[crl_info] +URI.0 = $CRL_DISTRIBUTION_POINTS + +[name_constraints] +permitted;DNS.0=<interne.domain> +permitted;DNS.1=<externe.domain> [ v3_req ]
CRL-DP is Bug #34285
This issue has been filed against UCS 4.4. UCS 4.4 is out of general maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.