====== PKI ======
===== Public Key Infrastructure =====
Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de?subject=Question(s) about certificate(s)&body=Ladies and gentlemen,%0A%0AI have the following question(s) about certificate(s):%0A%0A|support@gwdg.de]] or use the GWDG [[https://gwdg.de/en/support|support form]].
===== Application for personal email certificate... =====
In the future, you will receive new certificates via the GÉANT TCS. For information on specific application procedures, please contact your local participant service of your institution.
For user certificates for signing and/or optional encryption of e-mails, the application method is the [[#geant_tcs_pki|GÉANT TCS PKI]] in most cases the right way. In cooperation with your local participant service employee of your institution or RA, you create a user certificate.
Further information can also be found in the information provided under "[[#detailed_description_of_e-mail_encryption_with_x509_certificates|Detailed description of email encryption with X.509 certificates]]" GWDG news articles available to you.
==== ... from the GÉANT TCS PKI ====
To apply for an e-mail certificate from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, please click on the PDF instructions below.
Due to frequent changes in the application and issuance process of the GÉANT TCS PKI operator Sectigo, these have been created as a PDF file for easier modification and adaptation.
* {{ :en:services:it_security:pki:beantragung_eines_e-mail-zertifikats_aus_der_gwdg-ca_die_im_geant_tcs_mandanten_des_dfn_verankert_ist.pdf |Application for an e-mail certificate from the GWDG-CA, which is anchored in the GÉANT TCS client of the DFN}}.
If you have any questions, please send an e-mail to [[support@gwdg.de?subject=Question about my personal email certificate&body=Ladies and gentlemen,%0A%0AI have the following question(s) about certificate(s): %0A%0A|support@gwdg.de]] or use the GWDG [[https://gwdg.de/en/support|support form]].
===== Detailed description of e-mail encryption with X.509 certificates =====
For further steps and detailed instructions on how to install and use the certificate (the file with the file extension .p12 in the download directory of the web browser used) in different e-mail clients, please read the following documents.
==== GÉANT TCS PKI ====
- [[https://www.gwdg.de/documents/20182/27257/GN_11-2022_www.pdf#page=8|GWDG Nachrichten 11|22]] - Teil 7: Beantragung, Erstellung und Import eines Nutzerzertifikats in der GÉANT TCS PKI
==== Universally applicable to X.509 certificates ====
- [[https://www.gwdg.de/documents/20182/27257/GN_1-2-2020_www.pdf#page=14|GWDG Nachrichten 1-2|20]] - Teil 2: Installation und Verteilung von Zertifikaten
- [[https://www.gwdg.de/documents/20182/27257/GN_3-2020_www.pdf#page=6|GWDG Nachrichten 3|20]] - Teil 3: Outlook-E-Mail-Anwendungen
- [[https://www.gwdg.de/documents/20182/27257/GN_7-8-2020_www.pdf#page=8|GWDG Nachrichten 7-8|20]] - Teil 4: Apple E-Mail-Anwendungen
- [[https://www.gwdg.de/documents/20182/27257/GN_11-2020_www.pdf#page=12|GWDG Nachrichten 11|20]] - Teil 5: Thunderbird, Notes und Mutt
- [[https://www.gwdg.de/documents/20182/27257/GN_5-2021_www.pdf#page=8|GWDG Nachrichten 5|21]] - Teil 6: Private Zertifikate mit der Volksverschlüsselung
(currently only in German)
===== Apply for server certificates... =====
==== ... from the GÉANT TCS PKI ====
To request ACME External Account Binding Information for server certificates from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, send an e-mail to [[support@gwdg.de?subject=Request for ACME External Account Binding Information for the following server(s):&body=Dear Sir or Madam,%0A%0AI would like to request ACME External Account Binding information for the following server(s):%0A%0A|support@gwdg.de]] or use the [[https://www.gwdg.de/support|Support form]] of the GWDG.
Once you have received the ACME External Account Binding information, you can automatically create the certificates for your servers. Instructions on how to do this can be found in the following GWDG News article:
- [[https://www.gwdg.de/documents/20182/27257/GN_3-2022_www.pdf#page=10|GWDG News 03|22]] - Part 4: Automated Creation of Server Certificates with Bot Software
(currently only in German)
==== Unix/OS X ====
Call OpenSSL with the following Parameters
Simple Bash script...
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
* Download createscr.sh script.
* Change flags with chmod 744 createcsr.sh
* Run script as follows ./createcsr.sh.
==== Windows ====
Simple PowerShell script...
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
Simple Batch script...
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
After that, proceed with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on "upload for Servers".
===== Apply for server certificate with OpenSSL.cnf =====
Call OpenSSL with the following Parameters
==== Unix/OS X ====
Simple Bash script...
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
* Download createscr.sh script.
* Change flags with chmod 744 createcsr.sh
* Run script as follows ./createcsr.sh.
==== Windows ====
Simple PowerShell script...
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
Simple Batch script...
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
After that, proceed with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on "upload for Servers".
===== Sample files for OpenSSL.cnf =====
==== MPG ====
Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 4096
default_keyfile = example.key
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
localityName = Locality Name (eg, city)
localityName_default = Goettingen
organizationName = Organization Name (eg, company)
organizationName_default = Max-Planck-Gesellschaft
# The name of your CA subordinate RA can be found here
# https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:mpgras
# and thus, replace the value PKI
organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute)
organizationalUnitName_default = PKI
commonName = Common Name (eg, server FQDN or YOUR name)
commonName_default = example.mpg.de
emailAddress = Email Address
emailAddress_default = noreply@mpg.de
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = example-san-1.mpg.de
DNS.2 = example-san-2.mpg.de
==== Uni Göttingen ====
Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 4096
default_keyfile = example.key
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
localityName = Locality Name (eg, city)
localityName_default = Goettingen
organizationName = Organization Name (eg, company)
organizationName_default = Georg-August-Universitaet Goettingen
# Please remove the comment character for the next two lines. The name of the CA child RA
# You can see https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:uniras here and thus replace the value PKI.
#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
#organizationalUnitName_default = PKI
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = example.uni-goettingen.de
emailAddress = Email Address
emailAddress_default = noreply@uni-goettingen.de
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = example-san-1.uni-goettingen.de
DNS.2 = example-san-2.uni-goettingen.de
==== GWDG ====
Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen | gwdg}.de** with a valid.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 4096
default_keyfile = example.key
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NIEDERSACHSEN
localityName = Locality Name (eg, city)
localityName_default = GOETTINGEN
organizationName = Organization Name (eg, company)
organizationName_default = Gesellschaft fuer wissenschaftliche Datenverarbeitung
# Please remove the comment character for the next two lines. The name of the CA child RA
# You can https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:gwdgras here and replace the value PKI.
#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
#organizationalUnitName_default = PKI
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = example.gwdg.de
emailAddress = Email Address
emailAddress_default = noreply@gwdg.de
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = example-san-1.gwdg.de
DNS.2 = example-san-2.gwdg.de
===== Important OpenSSL commands =====
A collection of important OpenSSL commands for server certificates
==== Password removal from private key ====
openssl rsa -in example.key -out example.np.key
==== Creating a PKCS # 12 file from private and public keys ====
openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem
===== Detailed description of the possible uses of X.509 certificates =====
==== GÉANT TCS PKI ====
- [[https://www.gwdg.de/documents/20182/27257/GN_3-2022_www.pdf#page=10|GWDG Nachrichten 03|22]] - Teil 4: Automatisierte Erstellung von Serverzertifikaten mit Bot-Software
(currently only in German)
==== DFN-Vertein Community CA ====
- [[https://www.gwdg.de/documents/20182/27257/GN_9-10-2020_www.pdf#page=10|GWDG Nachrichten 09-10|20]] - Teil 1: Serverzertifikate
- [[https://www.gwdg.de/documents/20182/27257/GN_12-2020_www.pdf#page=10|GWDG Nachrichten 12|20]] - Teil 2: Ein Blick hinter die Kulissen eines Teilnehmerservices
- [[https://www.gwdg.de/documents/20182/27257/GN_3-2021_www.pdf#page=8|GWDG Nachrichten 03|21]] - Teil 3: Das Programm GUIRA für den Teilnehmerservice
(currently only in German)