Table of Contents

PKI

Public Key Infrastructure

Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to support@gwdg.de or use the GWDG support form.

Application for personal email certificate...

In the future, you will receive new certificates via the GÉANT TCS. For information on specific application procedures, please contact your local participant service of your institution. For user certificates for signing and/or optional encryption of e-mails, the application method is the GÉANT TCS PKI in most cases the right way. In cooperation with your local participant service employee of your institution or RA, you create a user certificate. Further information can also be found in the information provided under “Detailed description of email encryption with X.509 certificates” GWDG news articles available to you.

... from the GÉANT TCS PKI

To apply for an e-mail certificate from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, please click on the PDF instructions below.

Due to frequent changes in the application and issuance process of the GÉANT TCS PKI operator Sectigo, these have been created as a PDF file for easier modification and adaptation.

If you have any questions, please send an e-mail to support@gwdg.de or use the GWDG support form.

Detailed description of e-mail encryption with X.509 certificates

For further steps and detailed instructions on how to install and use the certificate (the file with the file extension .p12 in the download directory of the web browser used) in different e-mail clients, please read the following documents.

GÉANT TCS PKI

  1. GWDG Nachrichten 11|22 - Teil 7: Beantragung, Erstellung und Import eines Nutzerzertifikats in der GÉANT TCS PKI

Universally applicable to X.509 certificates

  1. GWDG Nachrichten 1-2|20 - Teil 2: Installation und Verteilung von Zertifikaten
  2. GWDG Nachrichten 3|20 - Teil 3: Outlook-E-Mail-Anwendungen
  3. GWDG Nachrichten 7-8|20 - Teil 4: Apple E-Mail-Anwendungen
  4. GWDG Nachrichten 11|20 - Teil 5: Thunderbird, Notes und Mutt
  5. GWDG Nachrichten 5|21 - Teil 6: Private Zertifikate mit der Volksverschlüsselung

(currently only in German)

Apply for server certificates...

... from the GÉANT TCS PKI

To request ACME External Account Binding Information for server certificates from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, send an e-mail to support@gwdg.de or use the Support form of the GWDG.

Once you have received the ACME External Account Binding information, you can automatically create the certificates for your servers. Instructions on how to do this can be found in the following GWDG News article:

  1. GWDG News 03|22 - Part 4: Automated Creation of Server Certificates with Bot Software

(currently only in German)

Unix/OS X

Call OpenSSL with the following Parameters

Simple Bash script…

createcsr.sh
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem

Simple Batch script…

createcsr.bat
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem

After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.

Apply for server certificate with OpenSSL.cnf

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem

Simple Batch script…

createcsr.bat
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem

After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.

Sample files for OpenSSL.cnf

MPG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Max-Planck-Gesellschaft
 
# The name of your CA subordinate RA can be found here 
# https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:mpgras
# and thus, replace the value PKI
organizationalUnitName	= Organizational Unit Name (eg, your Max-Planck-Institute)
organizationalUnitName_default	= PKI
 
commonName          = Common Name (eg, server FQDN or YOUR name)
commonName_default      = example.mpg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@mpg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.mpg.de
DNS.2       = example-san-2.mpg.de

Uni Göttingen

Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Georg-August-Universitaet Goettingen
 
# Please remove the comment character for the next two lines. The name of the CA child RA 
# You can see https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:uniras here and thus replace the value PKI.
#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
#organizationalUnitName_default = PKI
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.uni-goettingen.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@uni-goettingen.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.uni-goettingen.de
DNS.2       = example-san-2.uni-goettingen.de

GWDG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NIEDERSACHSEN
 
localityName            = Locality Name (eg, city)
localityName_default        = GOETTINGEN
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Gesellschaft fuer wissenschaftliche Datenverarbeitung
 
# Please remove the comment character for the next two lines. The name of the CA child RA 
# You can https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:gwdgras here and replace the value PKI.
#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
#organizationalUnitName_default = PKI
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.gwdg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@gwdg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.gwdg.de
DNS.2       = example-san-2.gwdg.de

Important OpenSSL commands

A collection of important OpenSSL commands for server certificates

Password removal from private key

openssl rsa -in example.key -out example.np.key

Creating a PKCS # 12 file from private and public keys

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem

Detailed description of the possible uses of X.509 certificates

GÉANT TCS PKI

  1. GWDG Nachrichten 03|22 - Teil 4: Automatisierte Erstellung von Serverzertifikaten mit Bot-Software

(currently only in German)

DFN-Vertein Community CA

  1. GWDG Nachrichten 09-10|20 - Teil 1: Serverzertifikate
  2. GWDG Nachrichten 12|20 - Teil 2: Ein Blick hinter die Kulissen eines Teilnehmerservices
  3. GWDG Nachrichten 03|21 - Teil 3: Das Programm GUIRA für den Teilnehmerservice

(currently only in German)