Bug 44960

Summary: Certificates for UCS-servers should also include alternative domains
Product: UCS Reporter: Nico Stöckigt <stoeckigt>
Component: SSLAssignee: UCS maintainers <ucs-maintainers>
Status: RESOLVED DUPLICATE QA Contact: UCS maintainers <ucs-maintainers>
Severity: normal    
Priority: P5 CC: hahn
Version: UCS 4.2   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
What kind of report is it?: Feature Request What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2017070721000574 Bug group (optional):
Max CVSS v3 score:

Description Nico Stöckigt univentionstaff 2017-07-07 21:36:16 CEST 
In some environments the server 'master.domain.local' is also available from outside 'webmail.domain.outside' or 'umc.domain.outside'. For such purposes it might be very handy if you can create certificates with additional CNames by using:

  univention-certificate new $(hostname -f) --additional-cnames="umc.domain.outside webmail.domain.outside"

I guess with UCS 4.2 this is more important than ever befor, because SSO need s specific certificate structure.
Comment 2 Philipp Hahn univentionstaff 2017-07-18 10:47:33 CEST 
(In reply to Nico Stöckigt from comment #0)
> In some environments the server 'master.domain.local' is also available from
> outside 'webmail.domain.outside' or 'umc.domain.outside'.

The UCS certificate is only valid internally (as you can expect the world to import the self-generated UCS root certificate).
As such you can install a second certificate for public facing services:

># ucr search ssl/certificate
>apache2/ssl/certificate: <empty>
> The absolute path to the SSL certificate file for mod_ssl. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/FQDN/cert.pem).
>
>apache2/ssl/certificatechain: <empty>
> The path to a file containing CA certificates. They are sent to the client browser of a user, so that a certificate for authentication the user can be selected, which is issued by one of the CAs.
>
>mail/postfix/ssl/certificate: <empty>
> The full path name of the SSL certificate that is used by Postfix to establish SSL connections. If the variable is unset, the host certificate is used.

If you need SAN you can always create your own 'request' file or use `UCRV ssl/host/extensions`

*** This bug has been marked as a duplicate of bug 44469 ***