Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:services:it_security:pki:start [2023/11/09 15:56] – [... from the GÉANT TCS PKI] thinder | en:services:it_security:pki:start [2025/01/27 11:37] (current) – [... from the GÉANT TCS PKI] Service provider change. thinder | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== PKI ====== | ||
+ | |||
+ | ===== Public Key Infrastructure ===== | ||
+ | |||
+ | |||
+ | Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de? | ||
+ | |||
+ | ===== Application for personal email certificate... ===== | ||
+ | In the future, you will receive new certificates via the GÉANT TCS. For information on specific application procedures, please contact your local participant service of your institution. | ||
+ | For user certificates for signing and/or optional encryption of e-mails, the application method is the [[# | ||
+ | Further information can also be found in the information provided under " | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== ... from the GÉANT TCS PKI ==== | ||
+ | To apply for an e-mail certificate from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, please click on the PDF instructions below. | ||
+ | <WRAP center round todo 80%> | ||
+ | <wrap em> | ||
+ | </ | ||
+ | If you have any questions, please send an e-mail to [[support@gwdg.de? | ||
+ | |||
+ | ===== Detailed description of e-mail encryption with X.509 certificates ===== | ||
+ | For further steps and detailed instructions on how to install and use the certificate (the file with the file extension .p12 in the download directory of the web browser used) in different e-mail clients, please read the following documents. | ||
+ | |||
+ | <WRAP center round info 100%> | ||
+ | ==== GÉANT TCS PKI ==== | ||
+ | - [[https:// | ||
+ | |||
+ | ==== Universally applicable to X.509 certificates ==== | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | (currently only in German) | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | ===== Apply for server certificates... ===== | ||
+ | |||
+ | ==== ... from the GÉANT TCS PKI ==== | ||
+ | <WRAP center round todo 80%> | ||
+ | <wrap em> | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Unix/OS X ==== | ||
+ | <WRAP center round info 80%> | ||
+ | Call OpenSSL with the following Parameters | ||
+ | |||
+ | </ | ||
+ | |||
+ | Simple Bash script... | ||
+ | <code bash createcsr.sh> | ||
+ | * Download createscr.sh script. | ||
+ | * Change flags with <code bash> | ||
+ | * Run script as follows <code bash> | ||
+ | |||
+ | ==== Windows ==== | ||
+ | Simple PowerShell script... | ||
+ | <code powershell createcsr.ps1> | ||
+ | Simple Batch script... | ||
+ | <code powershell createcsr.bat> | ||
+ | |||
+ | After that, proceed with the [[# | ||
+ | ===== Apply for server certificate with OpenSSL.cnf ===== | ||
+ | |||
+ | <WRAP center round info 80%> | ||
+ | Call OpenSSL with the following Parameters | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Unix/OS X ==== | ||
+ | Simple Bash script... | ||
+ | <code bash createcsr.sh> | ||
+ | * Download createscr.sh script. | ||
+ | * Change flags with <code bash> | ||
+ | * Run script as follows <code bash> | ||
+ | |||
+ | ==== Windows ==== | ||
+ | Simple PowerShell script... | ||
+ | <code powershell createcsr.ps1> | ||
+ | Simple Batch script... | ||
+ | <code powershell createcsr.bat> | ||
+ | |||
+ | After that, proceed with the [[# | ||
+ | ===== Sample files for OpenSSL.cnf ===== | ||
+ | |||
+ | |||
+ | ==== MPG ==== | ||
+ | Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid. | ||
+ | <code bash example.cnf> | ||
+ | HOME = . | ||
+ | RANDFILE | ||
+ | |||
+ | #################################################################### | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | req_extensions | ||
+ | string_mask | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | |||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = Niedersachsen | ||
+ | |||
+ | localityName | ||
+ | localityName_default | ||
+ | |||
+ | organizationName | ||
+ | organizationName_default | ||
+ | |||
+ | # The name of your CA subordinate RA can be found here | ||
+ | # https:// | ||
+ | # and thus, replace the value PKI | ||
+ | organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute) | ||
+ | organizationalUnitName_default = PKI | ||
+ | |||
+ | commonName | ||
+ | commonName_default | ||
+ | |||
+ | emailAddress | ||
+ | emailAddress_default | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_req_extensions ] | ||
+ | |||
+ | subjectKeyIdentifier | ||
+ | basicConstraints | ||
+ | keyUsage | ||
+ | subjectAltName | ||
+ | nsComment | ||
+ | |||
+ | #################################################################### | ||
+ | [ alternate_names ] | ||
+ | |||
+ | DNS.1 = example-san-1.mpg.de | ||
+ | DNS.2 = example-san-2.mpg.de | ||
+ | </ | ||
+ | ==== Uni Göttingen ==== | ||
+ | Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid. | ||
+ | <code bash example.cnf> | ||
+ | HOME = . | ||
+ | RANDFILE | ||
+ | |||
+ | #################################################################### | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | req_extensions | ||
+ | string_mask | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | |||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = Niedersachsen | ||
+ | |||
+ | localityName | ||
+ | localityName_default | ||
+ | |||
+ | organizationName | ||
+ | organizationName_default | ||
+ | |||
+ | # Please remove the comment character for the next two lines. The name of the CA child RA | ||
+ | # You can see https:// | ||
+ | # | ||
+ | # | ||
+ | |||
+ | commonName | ||
+ | commonName_default | ||
+ | |||
+ | emailAddress | ||
+ | emailAddress_default | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_req_extensions ] | ||
+ | |||
+ | subjectKeyIdentifier | ||
+ | basicConstraints | ||
+ | keyUsage | ||
+ | subjectAltName | ||
+ | nsComment | ||
+ | |||
+ | #################################################################### | ||
+ | [ alternate_names ] | ||
+ | |||
+ | DNS.1 = example-san-1.uni-goettingen.de | ||
+ | DNS.2 = example-san-2.uni-goettingen.de | ||
+ | </ | ||
+ | ==== GWDG ==== | ||
+ | Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid. | ||
+ | <code bash example.cnf> | ||
+ | HOME = . | ||
+ | RANDFILE | ||
+ | |||
+ | #################################################################### | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | req_extensions | ||
+ | string_mask | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | |||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = NIEDERSACHSEN | ||
+ | |||
+ | localityName | ||
+ | localityName_default | ||
+ | |||
+ | organizationName | ||
+ | organizationName_default | ||
+ | |||
+ | # Please remove the comment character for the next two lines. The name of the CA child RA | ||
+ | # You can https:// | ||
+ | # | ||
+ | # | ||
+ | |||
+ | commonName | ||
+ | commonName_default | ||
+ | |||
+ | emailAddress | ||
+ | emailAddress_default | ||
+ | |||
+ | #################################################################### | ||
+ | [ server_req_extensions ] | ||
+ | |||
+ | subjectKeyIdentifier | ||
+ | basicConstraints | ||
+ | keyUsage | ||
+ | subjectAltName | ||
+ | nsComment | ||
+ | |||
+ | #################################################################### | ||
+ | [ alternate_names ] | ||
+ | |||
+ | DNS.1 = example-san-1.gwdg.de | ||
+ | DNS.2 = example-san-2.gwdg.de | ||
+ | </ | ||
+ | |||
+ | ===== Important OpenSSL commands ===== | ||
+ | A collection of important OpenSSL commands for server certificates | ||
+ | |||
+ | ==== Password removal from private key ==== | ||
+ | <code bash> | ||
+ | |||
+ | ==== Creating a PKCS # 12 file from private and public keys ==== | ||
+ | <code bash> | ||
+ | |||
+ | ===== Detailed description of the possible uses of X.509 certificates ===== | ||
+ | |||
+ | <WRAP center round info 100%> | ||
+ | ==== GÉANT TCS PKI ==== | ||
+ | - [[https:// | ||
+ | <WRAP center round important 60%> | ||
+ | (currently only in German) | ||
+ | </ | ||
+ | |||
+ | ==== DFN-Vertein Community CA ==== | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | (currently only in German) | ||
+ | </ | ||
+ | |||
+ | </ | ||