Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
en:services:it_security:pki:start [2021/04/20 11:43] – [Detailed description of e-mail encryption with X.509 certificates] thinder | en:services:it_security:pki:start [2022/11/23 16:11] – [Detailed description of e-mail encryption with X.509 certificates] thinder | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== PKI ====== | ||
+ | ===== Public Key Infrastructure ===== | ||
+ | |||
+ | |||
+ | Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de? | ||
+ | |||
+ | ===== Application for personal email certificate ===== | ||
+ | |||
+ | Request your personal email certificate using a Web browser. | ||
+ | |||
+ | ==== Select a Registration Authority (RA) ==== | ||
+ | |||
+ | <WRAP left round box 22%> | ||
+ | | **[[en: | ||
+ | </ | ||
+ | <WRAP left round box 22%> | ||
+ | | **[[en: | ||
+ | </ | ||
+ | <WRAP left round box 22%> | ||
+ | | **[[en: | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== The new way ===== | ||
+ | ==== Apply for a certificate ==== | ||
+ | |||
+ | <WRAP center round tip 60%> | ||
+ | Personal identification in times of the Corona pandemic can now be carried out with the [[en: | ||
+ | </ | ||
+ | |||
+ | According to the following, as described in [[https:// | ||
+ | |||
+ | {{: | ||
+ | |||
+ | There are now two larger buttons. To apply, click the "Apply for a new user certificate" | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Enter the required data for the user certificate and click on the " | ||
+ | |||
+ | {{: | ||
+ | |||
+ | A summary of the information is displayed. If everything is fine, click on the "Save request file" button. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | A password for the application file must be entered and confirmed by clicking on " | ||
+ | |||
+ | {{: | ||
+ | |||
+ | The application file is stored in the download directory of the web browser used. | ||
+ | |||
+ | With the application you signed, please go to the responsible RA operator in your institute. | ||
+ | |||
+ | For personal identification, | ||
+ | |||
+ | After personal identification and verification of the certificate application, | ||
+ | |||
+ | You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued. | ||
+ | |||
+ | ==== Certificate pick up ==== | ||
+ | |||
+ | After clicking on the URL in the mail or by copying and pasting into the address line of the browser with which the certificate was requested, click on "Pick up a requested certificate" | ||
+ | |||
+ | {{: | ||
+ | |||
+ | To specify or select the application file, click Browse and select the associated application file for the certificate to be obtained. The browsers store this file in the **Downloads** folder of the user. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | The information in the application file is displayed. If everything fits click " | ||
+ | |||
+ | {{: | ||
+ | |||
+ | If an attempt is made to retrieve the certificate and the confirmation email has not yet been received, you will receive the following error message. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | If the pickup worked, the data of the currently collected certificate is displayed in an overview. Clicking on "Save Certificate File" initiates the completion of the pickup. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | To secure the certificate file to be saved, it is now imperative to enter a certificate password. Clicking OK completes the process. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | At the end of the collection, an information page with important information that should be considered will be displayed. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ===== The old way ===== | ||
+ | <WRAP center round important 60%> | ||
+ | Microsoft Internet Explorer will no longer be supported for certificate application as of **__March 1, 2021__**! | ||
+ | |||
+ | Please use the description for [[en: | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== Detailed description of e-mail encryption with X.509 certificates ===== | ||
+ | For further steps and detailed instructions on how to install and use the certificate in different e-mail clients, please read the following documents. | ||
+ | |||
+ | <WRAP center round info 100%> | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | (currently only in German) | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | ===== Apply for server certificate ===== | ||
+ | |||
+ | Call OpenSSL with the following Parameters | ||
+ | |||
+ | ==== Unix/OS X ==== | ||
+ | Simple Bash script... | ||
+ | <code bash createcsr.sh> | ||
+ | * Download createscr.sh script. | ||
+ | * Change flags with <code bash> | ||
+ | * Run script as follows <code bash> | ||
+ | |||
+ | ==== Windows ==== | ||
+ | Simple PowerShell script... | ||
+ | <code powershell createcsr.ps1> | ||
+ | Simple Batch script... | ||
+ | <code powershell createcsr.bat> | ||
+ | |||
+ | After that, proceed with the [[# | ||
+ | ===== Apply for server certificate with OpenSSL.cnf ===== | ||
+ | |||
+ | Call OpenSSL with the following Parameters | ||
+ | |||
+ | ==== Unix/OS X ==== | ||
+ | Simple Bash script... | ||
+ | <code bash createcsr.sh> | ||
+ | * Download createscr.sh script. | ||
+ | * Change flags with <code bash> | ||
+ | * Run script as follows <code bash> | ||
+ | |||
+ | ==== Windows ==== | ||
+ | Simple PowerShell script... | ||
+ | <code powershell createcsr.ps1> | ||
+ | Simple Batch script... | ||
+ | <code powershell createcsr.bat> | ||
+ | |||
+ | After that, proceed with the [[# | ||
+ | ===== Sample files for OpenSSL.cnf ===== | ||
+ | |||
+ | |||
+ | ==== MPG ==== | ||
+ | Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid. | ||
+ | <code bash example.cnf> | ||
+ | HOME = . | ||
+ | RANDFILE | ||
+ | |||
+ | #################################################################### | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | req_extensions | ||
+ | string_mask | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | |||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = Niedersachsen | ||
+ | |||
+ | localityName | ||
+ | localityName_default | ||
+ | |||
+ | organizationName | ||
+ | organizationName_default | ||
+ | |||
+ | # The name of your CA subordinate RA can be found here | ||
+ | # https:// | ||
+ | # and thus, replace the value PKI | ||
+ | organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute) | ||
+ | organizationalUnitName_default = PKI | ||
+ | |||
+ | commonName | ||
+ | commonName_default | ||
+ | |||
+ | emailAddress | ||
+ | emailAddress_default | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_req_extensions ] | ||
+ | |||
+ | subjectKeyIdentifier | ||
+ | basicConstraints | ||
+ | keyUsage | ||
+ | subjectAltName | ||
+ | nsComment | ||
+ | |||
+ | #################################################################### | ||
+ | [ alternate_names ] | ||
+ | |||
+ | DNS.1 = example-san-1.mpg.de | ||
+ | DNS.2 = example-san-2.mpg.de | ||
+ | </ | ||
+ | ==== Uni Göttingen ==== | ||
+ | Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid. | ||
+ | <code bash example.cnf> | ||
+ | HOME = . | ||
+ | RANDFILE | ||
+ | |||
+ | #################################################################### | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | req_extensions | ||
+ | string_mask | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | |||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = Niedersachsen | ||
+ | |||
+ | localityName | ||
+ | localityName_default | ||
+ | |||
+ | organizationName | ||
+ | organizationName_default | ||
+ | |||
+ | # Please remove the comment character for the next two lines. The name of the CA child RA | ||
+ | # You can see https:// | ||
+ | # | ||
+ | # | ||
+ | |||
+ | commonName | ||
+ | commonName_default | ||
+ | |||
+ | emailAddress | ||
+ | emailAddress_default | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_req_extensions ] | ||
+ | |||
+ | subjectKeyIdentifier | ||
+ | basicConstraints | ||
+ | keyUsage | ||
+ | subjectAltName | ||
+ | nsComment | ||
+ | |||
+ | #################################################################### | ||
+ | [ alternate_names ] | ||
+ | |||
+ | DNS.1 = example-san-1.uni-goettingen.de | ||
+ | DNS.2 = example-san-2.uni-goettingen.de | ||
+ | </ | ||
+ | ==== GWDG ==== | ||
+ | Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid. | ||
+ | <code bash example.cnf> | ||
+ | HOME = . | ||
+ | RANDFILE | ||
+ | |||
+ | #################################################################### | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | req_extensions | ||
+ | string_mask | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | |||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = NIEDERSACHSEN | ||
+ | |||
+ | localityName | ||
+ | localityName_default | ||
+ | |||
+ | organizationName | ||
+ | organizationName_default | ||
+ | |||
+ | # Please remove the comment character for the next two lines. The name of the CA child RA | ||
+ | # You can https:// | ||
+ | # | ||
+ | # | ||
+ | |||
+ | commonName | ||
+ | commonName_default | ||
+ | |||
+ | emailAddress | ||
+ | emailAddress_default | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_req_extensions ] | ||
+ | |||
+ | subjectKeyIdentifier | ||
+ | basicConstraints | ||
+ | keyUsage | ||
+ | subjectAltName | ||
+ | nsComment | ||
+ | |||
+ | #################################################################### | ||
+ | [ alternate_names ] | ||
+ | |||
+ | DNS.1 = example-san-1.gwdg.de | ||
+ | DNS.2 = example-san-2.gwdg.de | ||
+ | </ | ||
+ | |||
+ | ===== Important OpenSSL commands ===== | ||
+ | A collection of important OpenSSL commands for server certificates | ||
+ | |||
+ | ==== Password removal from private key ==== | ||
+ | <code bash> | ||
+ | |||
+ | ==== Creating a PKCS # 12 file from private and public keys ==== | ||
+ | <code bash> | ||
+ | |||
+ | ===== Detailed description of the possible uses of X.509 certificates ===== | ||
+ | |||
+ | <WRAP center round info 100%> | ||
+ | ==== DFN-PKI ==== | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | ==== GÉANT TCS PKI ==== | ||
+ | - [[https:// | ||
+ | |||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | (currently only in German) | ||
+ | </ | ||
+ | |||
+ | </ |