Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:services:it_security:pki:start [2023/11/09 15:56] – [... from the GÉANT TCS PKI] thinderen:services:it_security:pki:start [2025/01/27 11:37] (current) – [... from the GÉANT TCS PKI] Service provider change. thinder
Line 1: Line 1:
 +====== PKI ======
 +
 +===== Public Key Infrastructure =====
 +
 +
 +Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de?subject=Question(s) about certificate(s)&body=Ladies and gentlemen,%0A%0AI have the following question(s) about certificate(s):%0A%0A|support@gwdg.de]] or use the GWDG [[https://gwdg.de/en/support|support form]].
 +
 +===== Application for personal email certificate... =====
 +In the future, you will receive new certificates via the GÉANT TCS. For information on specific application procedures, please contact your local participant service of your institution.
 +For user certificates for signing and/or optional encryption of e-mails, the application method is the [[#geant_tcs_pki|GÉANT TCS PKI]] in most cases the right way. In cooperation with your local participant service employee of your institution or RA, you create a user certificate.
 +Further information can also be found in the information provided under "[[#detailed_description_of_e-mail_encryption_with_x509_certificates|Detailed description of email encryption with X.509 certificates]]" GWDG news articles available to you.
 +
 +
 +
 +
 +==== ... from the GÉANT TCS PKI ====
 +To apply for an e-mail certificate from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, please click on the PDF instructions below.
 +<WRAP center round todo 80%>
 +<wrap em>Attention!</wrap> A service provider change is currently taking place.  For this reason, there is currently no instruction manual. This will be available soon.
 +</WRAP>
 +If you have any questions, please send an e-mail to [[support@gwdg.de?subject=Question about my personal email certificate&body=Ladies and gentlemen,%0A%0AI have the following question(s) about certificate(s): %0A%0A|support@gwdg.de]] or use the GWDG [[https://gwdg.de/en/support|support form]].
 +
 +===== Detailed description of e-mail encryption with X.509 certificates =====
 +For further steps and detailed instructions on how to install and use the certificate (the file with the file extension .p12 in the download directory of the web browser used) in different e-mail clients, please read the following documents.
 +
 +<WRAP center round info 100%>
 +==== GÉANT TCS PKI ====
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_11-2022_www.pdf#page=8|GWDG Nachrichten 11|22]] - Teil 7: Beantragung, Erstellung und Import eines Nutzerzertifikats in der GÉANT TCS PKI
 +
 +==== Universally applicable to X.509 certificates ====
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_1-2-2020_www.pdf#page=14|GWDG Nachrichten 1-2|20]] - Teil 2: Installation und Verteilung von Zertifikaten
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_3-2020_www.pdf#page=6|GWDG Nachrichten 3|20]] - Teil 3: Outlook-E-Mail-Anwendungen
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_7-8-2020_www.pdf#page=8|GWDG Nachrichten 7-8|20]] - Teil 4: Apple E-Mail-Anwendungen
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_11-2020_www.pdf#page=12|GWDG Nachrichten 11|20]] - Teil 5: Thunderbird, Notes und Mutt
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_5-2021_www.pdf#page=8|GWDG Nachrichten 5|21]] - Teil 6: Private Zertifikate mit der Volksverschlüsselung
 +
 +<WRAP center round important 60%>
 +(currently only in German)
 +</WRAP>
 +
 +</WRAP>
 +===== Apply for server certificates... =====
 +
 +==== ... from the GÉANT TCS PKI ====
 +<WRAP center round todo 80%>
 +<wrap em>Attention!</wrap> A service provider change is currently taking place.  For this reason, there is currently no instruction manual. This will be available soon.
 +</WRAP>
 +
 +
 +==== Unix/OS X ====
 +<WRAP center round info 80%>
 +Call OpenSSL with the following Parameters
 +
 +</WRAP>
 +
 +Simple Bash script...
 +<code bash createcsr.sh>openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem</code>
 +  * Download createscr.sh script.
 +  * Change flags with <code bash>chmod 744 createcsr.sh</code>
 +  * Run script as follows <code bash>./createcsr.sh</code>.
 +
 +==== Windows ====
 +Simple PowerShell script...
 +<code powershell createcsr.ps1>openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem</code>
 +Simple Batch script...
 +<code powershell createcsr.bat>openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem</code>
 +
 +After that, proceed with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on "upload for Servers".
 +===== Apply for server certificate with OpenSSL.cnf =====
 +
 +<WRAP center round info 80%>
 +Call OpenSSL with the following Parameters
 +
 +</WRAP>
 +
 +==== Unix/OS X ====
 +Simple Bash script...
 +<code bash createcsr.sh>openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem</code>
 +  * Download createscr.sh script.
 +  * Change flags with <code bash>chmod 744 createcsr.sh</code>
 +  * Run script as follows <code bash>./createcsr.sh</code>.
 +
 +==== Windows ====
 +Simple PowerShell script...
 +<code powershell createcsr.ps1>openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem</code>
 +Simple Batch script...
 +<code powershell createcsr.bat>openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem</code>
 +
 +After that, proceed with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on "upload for Servers".
 +===== Sample files for OpenSSL.cnf =====
 +
 +
 +==== MPG ====
 +Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid.
 +<code bash example.cnf>
 +HOME            = .
 +RANDFILE        = $ENV::HOME/.rnd
 +
 +####################################################################
 +[ req ]
 +default_bits        = 4096
 +default_keyfile     = example.key
 +distinguished_name  = server_distinguished_name
 +req_extensions      = server_req_extensions
 +string_mask         = utf8only
 +
 +####################################################################
 +[ server_distinguished_name ]
 +countryName         = Country Name (2 letter code)
 +countryName_default     = DE
 +
 +stateOrProvinceName     = State or Province Name (full name)
 +stateOrProvinceName_default = Niedersachsen
 +
 +localityName            = Locality Name (eg, city)
 +localityName_default        = Goettingen
 +
 +organizationName            = Organization Name (eg, company)
 +organizationName_default    = Max-Planck-Gesellschaft
 +
 +# The name of your CA subordinate RA can be found here 
 +# https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:mpgras
 +# and thus, replace the value PKI
 +organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute)
 +organizationalUnitName_default = PKI
 +
 +commonName          = Common Name (eg, server FQDN or YOUR name)
 +commonName_default      = example.mpg.de
 +
 +emailAddress            = Email Address
 +emailAddress_default        = noreply@mpg.de
 +
 +####################################################################
 +[ server_req_extensions ]
 +
 +subjectKeyIdentifier        = hash
 +basicConstraints        = CA:FALSE
 +keyUsage            = digitalSignature, keyEncipherment
 +subjectAltName          = @alternate_names
 +nsComment           = "OpenSSL Generated Certificate"
 +
 +####################################################################
 +[ alternate_names ]
 +
 +DNS.1       = example-san-1.mpg.de
 +DNS.2       = example-san-2.mpg.de
 +</code>
 +==== Uni Göttingen ====
 +Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid.
 +<code bash example.cnf>
 +HOME            = .
 +RANDFILE        = $ENV::HOME/.rnd
 +
 +####################################################################
 +[ req ]
 +default_bits        = 4096
 +default_keyfile     = example.key
 +distinguished_name  = server_distinguished_name
 +req_extensions      = server_req_extensions
 +string_mask         = utf8only
 +
 +####################################################################
 +[ server_distinguished_name ]
 +countryName         = Country Name (2 letter code)
 +countryName_default     = DE
 +
 +stateOrProvinceName     = State or Province Name (full name)
 +stateOrProvinceName_default = Niedersachsen
 +
 +localityName            = Locality Name (eg, city)
 +localityName_default        = Goettingen
 +
 +organizationName            = Organization Name (eg, company)
 +organizationName_default    = Georg-August-Universitaet Goettingen
 +
 +# Please remove the comment character for the next two lines. The name of the CA child RA 
 +# You can see https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:uniras here and thus replace the value PKI.
 +#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
 +#organizationalUnitName_default = PKI
 +
 +commonName          = Common Name (e.g. server FQDN or YOUR name)
 +commonName_default      = example.uni-goettingen.de
 +
 +emailAddress            = Email Address
 +emailAddress_default        = noreply@uni-goettingen.de
 +
 +####################################################################
 +[ server_req_extensions ]
 +
 +subjectKeyIdentifier        = hash
 +basicConstraints        = CA:FALSE
 +keyUsage            = digitalSignature, keyEncipherment
 +subjectAltName          = @alternate_names
 +nsComment           = "OpenSSL Generated Certificate"
 +
 +####################################################################
 +[ alternate_names ]
 +
 +DNS.1       = example-san-1.uni-goettingen.de
 +DNS.2       = example-san-2.uni-goettingen.de
 +</code>
 +==== GWDG ====
 +Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid.
 +<code bash example.cnf>
 +HOME            = .
 +RANDFILE        = $ENV::HOME/.rnd
 +
 +####################################################################
 +[ req ]
 +default_bits        = 4096
 +default_keyfile     = example.key
 +distinguished_name  = server_distinguished_name
 +req_extensions      = server_req_extensions
 +string_mask         = utf8only
 +
 +####################################################################
 +[ server_distinguished_name ]
 +countryName         = Country Name (2 letter code)
 +countryName_default     = DE
 +
 +stateOrProvinceName     = State or Province Name (full name)
 +stateOrProvinceName_default = NIEDERSACHSEN
 +
 +localityName            = Locality Name (eg, city)
 +localityName_default        = GOETTINGEN
 +
 +organizationName            = Organization Name (eg, company)
 +organizationName_default    = Gesellschaft fuer wissenschaftliche Datenverarbeitung
 +
 +# Please remove the comment character for the next two lines. The name of the CA child RA 
 +# You can https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:gwdgras here and replace the value PKI.
 +#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
 +#organizationalUnitName_default = PKI
 +
 +commonName          = Common Name (e.g. server FQDN or YOUR name)
 +commonName_default      = example.gwdg.de
 +
 +emailAddress            = Email Address
 +emailAddress_default        = noreply@gwdg.de
 +
 +####################################################################
 +[ server_req_extensions ]
 +
 +subjectKeyIdentifier        = hash
 +basicConstraints        = CA:FALSE
 +keyUsage            = digitalSignature, keyEncipherment
 +subjectAltName          = @alternate_names
 +nsComment           = "OpenSSL Generated Certificate"
 +
 +####################################################################
 +[ alternate_names ]
 +
 +DNS.1       = example-san-1.gwdg.de
 +DNS.2       = example-san-2.gwdg.de
 +</code>
 +
 +===== Important OpenSSL commands =====
 +A collection of important OpenSSL commands for server certificates
 +
 +==== Password removal from private key ====
 +<code bash>openssl rsa -in example.key -out example.np.key</code>
 +
 +==== Creating a PKCS # 12 file from private and public keys ====
 +<code bash>openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem</code>
 +
 +===== Detailed description of the possible uses of X.509 certificates =====
 +
 +<WRAP center round info 100%>
 +==== GÉANT TCS PKI ====
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_3-2022_www.pdf#page=10|GWDG Nachrichten 03|22]] - Teil 4: Automatisierte Erstellung von Serverzertifikaten mit Bot-Software
 +<WRAP center round important 60%>
 +(currently only in German)
 +</WRAP>
 +
 +==== DFN-Vertein Community CA ====
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_9-10-2020_www.pdf#page=10|GWDG Nachrichten 09-10|20]] - Teil 1: Serverzertifikate
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_12-2020_www.pdf#page=10|GWDG Nachrichten 12|20]] - Teil 2: Ein Blick hinter die Kulissen eines Teilnehmerservices
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_3-2021_www.pdf#page=8|GWDG Nachrichten 03|21]] - Teil 3: Das Programm GUIRA für den Teilnehmerservice
 +
 +<WRAP center round important 60%>
 +(currently only in German)
 +</WRAP>
 +
 +</WRAP>