Univention Bugzilla – Bug 44960
Certificates for UCS-servers should also include alternative domains
Last modified: 2017-07-18 10:47:33 CEST
In some environments the server 'master.domain.local' is also available from outside 'webmail.domain.outside' or 'umc.domain.outside'. For such purposes it might be very handy if you can create certificates with additional CNames by using: univention-certificate new $(hostname -f) --additional-cnames="umc.domain.outside webmail.domain.outside" I guess with UCS 4.2 this is more important than ever befor, because SSO need s specific certificate structure.
(In reply to Nico Stöckigt from comment #0) > In some environments the server 'master.domain.local' is also available from > outside 'webmail.domain.outside' or 'umc.domain.outside'. The UCS certificate is only valid internally (as you can expect the world to import the self-generated UCS root certificate). As such you can install a second certificate for public facing services: ># ucr search ssl/certificate >apache2/ssl/certificate: <empty> > The absolute path to the SSL certificate file for mod_ssl. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/FQDN/cert.pem). > >apache2/ssl/certificatechain: <empty> > The path to a file containing CA certificates. They are sent to the client browser of a user, so that a certificate for authentication the user can be selected, which is issued by one of the CAs. > >mail/postfix/ssl/certificate: <empty> > The full path name of the SSL certificate that is used by Postfix to establish SSL connections. If the variable is unset, the host certificate is used. If you need SAN you can always create your own 'request' file or use `UCRV ssl/host/extensions` *** This bug has been marked as a duplicate of bug 44469 ***