Table of Contents
PKI
Public Key Infrastructure
Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to support@gwdg.de or use the GWDG support form.
Application for personal email certificate...
In the future, you will receive new certificates via the GÉANT TCS. For information on specific application procedures, please contact your local participant service of your institution. For user certificates for signing and/or optional encryption of e-mails, the application method is the GÉANT TCS PKI in most cases the right way. In cooperation with your local participant service employee of your institution or RA, you create a user certificate. Further information can also be found in the information provided under “Detailed description of email encryption with X.509 certificates” GWDG news articles available to you.
... from the GÉANT TCS PKI
To apply for an e-mail certificate from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, please click on the PDF instructions below.
Due to frequent changes in the application and issuance process of the GÉANT TCS PKI operator Sectigo, these have been created as a PDF file for easier modification and adaptation.
If you have any questions, please send an e-mail to support@gwdg.de or use the GWDG support form.
Detailed description of e-mail encryption with X.509 certificates
For further steps and detailed instructions on how to install and use the certificate (the file with the file extension .p12 in the download directory of the web browser used) in different e-mail clients, please read the following documents.
GÉANT TCS PKI
- GWDG Nachrichten 11|22 - Teil 7: Beantragung, Erstellung und Import eines Nutzerzertifikats in der GÉANT TCS PKI
Universally applicable to X.509 certificates
- GWDG Nachrichten 1-2|20 - Teil 2: Installation und Verteilung von Zertifikaten
- GWDG Nachrichten 3|20 - Teil 3: Outlook-E-Mail-Anwendungen
- GWDG Nachrichten 7-8|20 - Teil 4: Apple E-Mail-Anwendungen
- GWDG Nachrichten 11|20 - Teil 5: Thunderbird, Notes und Mutt
- GWDG Nachrichten 5|21 - Teil 6: Private Zertifikate mit der Volksverschlüsselung
(currently only in German)
Apply for server certificates...
... from the GÉANT TCS PKI
To request ACME External Account Binding Information for server certificates from the GÉANT TCS PKI, which is anchored in the client of the DFN of the GÉANT TCS PKI, send an e-mail to support@gwdg.de or use the Support form of the GWDG.
Once you have received the ACME External Account Binding information, you can automatically create the certificates for your servers. Instructions on how to do this can be found in the following GWDG News article:
- GWDG News 03|22 - Part 4: Automated Creation of Server Certificates with Bot Software
(currently only in German)
Unix/OS X
Call OpenSSL with the following Parameters
Simple Bash script…
- createcsr.sh
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
- Download createscr.sh script.
- Change flags with
chmod 744 createcsr.sh
- Run script as follows
./createcsr.sh
.
Windows
Simple PowerShell script…
- createcsr.ps1
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
Simple Batch script…
- createcsr.bat
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.
Apply for server certificate with OpenSSL.cnf
Call OpenSSL with the following Parameters
Unix/OS X
Simple Bash script…
- createcsr.sh
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
- Download createscr.sh script.
- Change flags with
chmod 744 createcsr.sh
- Run script as follows
./createcsr.sh
.
Windows
Simple PowerShell script…
- createcsr.ps1
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
Simple Batch script…
- createcsr.bat
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.
Sample files for OpenSSL.cnf
MPG
Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.
- example.cnf
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 4096 default_keyfile = example.key distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only #################################################################### [ server_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Niedersachsen localityName = Locality Name (eg, city) localityName_default = Goettingen organizationName = Organization Name (eg, company) organizationName_default = Max-Planck-Gesellschaft # The name of your CA subordinate RA can be found here # https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:mpgras # and thus, replace the value PKI organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute) organizationalUnitName_default = PKI commonName = Common Name (eg, server FQDN or YOUR name) commonName_default = example.mpg.de emailAddress = Email Address emailAddress_default = noreply@mpg.de #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = example-san-1.mpg.de DNS.2 = example-san-2.mpg.de
Uni Göttingen
Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.
- example.cnf
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 4096 default_keyfile = example.key distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only #################################################################### [ server_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Niedersachsen localityName = Locality Name (eg, city) localityName_default = Goettingen organizationName = Organization Name (eg, company) organizationName_default = Georg-August-Universitaet Goettingen # Please remove the comment character for the next two lines. The name of the CA child RA # You can see https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:uniras here and thus replace the value PKI. #organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA) #organizationalUnitName_default = PKI commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = example.uni-goettingen.de emailAddress = Email Address emailAddress_default = noreply@uni-goettingen.de #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = example-san-1.uni-goettingen.de DNS.2 = example-san-2.uni-goettingen.de
GWDG
Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.
- example.cnf
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 4096 default_keyfile = example.key distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only #################################################################### [ server_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NIEDERSACHSEN localityName = Locality Name (eg, city) localityName_default = GOETTINGEN organizationName = Organization Name (eg, company) organizationName_default = Gesellschaft fuer wissenschaftliche Datenverarbeitung # Please remove the comment character for the next two lines. The name of the CA child RA # You can https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:gwdgras here and replace the value PKI. #organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA) #organizationalUnitName_default = PKI commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = example.gwdg.de emailAddress = Email Address emailAddress_default = noreply@gwdg.de #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = example-san-1.gwdg.de DNS.2 = example-san-2.gwdg.de
Important OpenSSL commands
A collection of important OpenSSL commands for server certificates
Password removal from private key
openssl rsa -in example.key -out example.np.key
Creating a PKCS # 12 file from private and public keys
openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem
Detailed description of the possible uses of X.509 certificates
GÉANT TCS PKI
- GWDG Nachrichten 03|22 - Teil 4: Automatisierte Erstellung von Serverzertifikaten mit Bot-Software
(currently only in German)
DFN-Vertein Community CA
- GWDG Nachrichten 09-10|20 - Teil 1: Serverzertifikate
- GWDG Nachrichten 12|20 - Teil 2: Ein Blick hinter die Kulissen eines Teilnehmerservices
- GWDG Nachrichten 03|21 - Teil 3: Das Programm GUIRA für den Teilnehmerservice
(currently only in German)