PKI

Public Key Infrastructure

Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to support@gwdg.de or use the GWDG support form.

Application for personal email certificate

In the future, you will receive new certificates via the GÉANT TCS service. For information on specific application procedures, please contact your local participant service of your institution by choosing the Registration Authority (RA). For user certificates for signing and/or optional encryption of e-mails, the application method is the GÉANT TCS PKI in the vast majority of cases the right way. In cooperation with your local participant service employee of your institution or RA, you create a user certificate. Further information can also be found in the information provided under “Detailed description of email encryption with X.509 certificates” GWDG news articles available to you.

Select a Registration Authority (RA)

GÉANT TCS PKI

Content will be available soon.

DFN-Verein Community CA

Apply for a certificate

According to the following, as described in GN 04-05|20 (currently only in German) in the paragraph “Der neue Beantragungsweg”, the path to the new application pages is described, this will change from Fig. 2 there as described in the following.

There are now two larger buttons. To apply, click the "Apply for a new user certificate" button.

There are now two larger buttons. To apply, click the “Apply for a new user certificate” button.

Enter the required data for the user certificate and click on the "Next" button.

Enter the required data for the user certificate and click on the “Next” button.

A summary of the information is displayed. If everything is fine, click on the "Save request file" button.

A summary of the information is displayed. If everything is fine, click on the “Save request file” button.

A password for the application file must be entered and confirmed by clicking on "Ok".

A password for the application file must be entered and confirmed by clicking on “Ok”.

The application file is stored in the download directory of the web browser used.

The application file is stored in the download directory of the web browser used.

With the application you signed, please go to the responsible RA operator in your institute.

For personal identification, please have your valid ID.

After personal identification and verification of the certificate application, the responsible RA operator will issue your certificate application.

You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.

Certificate pick up

After clicking on the URL in the mail or by copying and pasting into the address line of the browser with which the certificate was requested, click on “Pick up a requested certificate”.

To specify or select the application file, click Browse and select the associated application file for the certificate to be obtained. The browsers store this file in the Downloads folder of the user.

The information in the application file is displayed. If everything fits click “Next”.

If an attempt is made to retrieve the certificate and the confirmation email has not yet been received, you will receive the following error message.

If the pickup worked, the data of the currently collected certificate is displayed in an overview. Clicking on “Save Certificate File” initiates the completion of the pickup.

To secure the certificate file to be saved, it is now imperative to enter a certificate password. Clicking OK completes the process.

At the end of the collection, an information page with important information that should be considered will be displayed.

Detailed description of e-mail encryption with X.509 certificates

For further steps and detailed instructions on how to install and use the certificate in different e-mail clients, please read the following documents.

GÉANT TCS PKI

  1. GWDG Nachrichten 11|22 - Teil 7: Beantragung, Erstellung und Import eines Nutzerzertifikats in der GÉANT TCS PKI

DFN-Verein Community CA

  1. GWDG Nachrichten 4|21 - Weitere Überarbeitung des Beantragungsweges für Nutzerzertifikate in der DFN-PKI
  2. GWDG Nachrichten 12|19 - Teil 1: Beantragung und Sicherung von Zertifikaten

Universally applicable to X.509 certificates

  1. GWDG Nachrichten 1-2|20 - Teil 2: Installation und Verteilung von Zertifikaten
  2. GWDG Nachrichten 3|20 - Teil 3: Outlook-E-Mail-Anwendungen
  3. GWDG Nachrichten 7-8|20 - Teil 4: Apple E-Mail-Anwendungen
  4. GWDG Nachrichten 11|20 - Teil 5: Thunderbird, Notes und Mutt
  5. GWDG Nachrichten 5|21 - Teil 6: Private Zertifikate mit der Volksverschlüsselung

(currently only in German)

Apply for server certificate

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem
  • Download createscr.sh script.
  • Change flags with
    chmod 744 createcsr.sh
  • Run script as follows
    ./createcsr.sh

    .

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem

Simple Batch script…

createcsr.bat
openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem

After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.

Apply for server certificate with OpenSSL.cnf

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem
  • Download createscr.sh script.
  • Change flags with
    chmod 744 createcsr.sh
  • Run script as follows
    ./createcsr.sh

    .

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem

Simple Batch script…

createcsr.bat
openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem

After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.

Sample files for OpenSSL.cnf

MPG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Max-Planck-Gesellschaft
 
# The name of your CA subordinate RA can be found here 
# https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:mpgras
# and thus, replace the value PKI
organizationalUnitName	= Organizational Unit Name (eg, your Max-Planck-Institute)
organizationalUnitName_default	= PKI
 
commonName          = Common Name (eg, server FQDN or YOUR name)
commonName_default      = example.mpg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@mpg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.mpg.de
DNS.2       = example-san-2.mpg.de

Uni Göttingen

Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Georg-August-Universitaet Goettingen
 
# Please remove the comment character for the next two lines. The name of the CA child RA 
# You can see https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:uniras here and thus replace the value PKI.
#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
#organizationalUnitName_default = PKI
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.uni-goettingen.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@uni-goettingen.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.uni-goettingen.de
DNS.2       = example-san-2.uni-goettingen.de

GWDG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-goettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NIEDERSACHSEN
 
localityName            = Locality Name (eg, city)
localityName_default        = GOETTINGEN
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Gesellschaft fuer wissenschaftliche Datenverarbeitung
 
# Please remove the comment character for the next two lines. The name of the CA child RA 
# You can https://info.gwdg.de/docs/doku.php?id=de:services:it_security:pki:gwdgras here and replace the value PKI.
#organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
#organizationalUnitName_default = PKI
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.gwdg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@gwdg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.gwdg.de
DNS.2       = example-san-2.gwdg.de

Important OpenSSL commands

A collection of important OpenSSL commands for server certificates

Password removal from private key

openssl rsa -in example.key -out example.np.key

Creating a PKCS # 12 file from private and public keys

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem

Detailed description of the possible uses of X.509 certificates

DFN-Vertein Community CA

  1. GWDG Nachrichten 09-10|20 - Teil 1: Serverzertifikate
  2. GWDG Nachrichten 12|20 - Teil 2: Ein Blick hinter die Kulissen eines Teilnehmerservices
  3. GWDG Nachrichten 03|21 - Teil 3: Das Programm GUIRA für den Teilnehmerservice

GÉANT TCS PKI

  1. GWDG Nachrichten 03|22 - Teil 4: Automatisierte Erstellung von Serverzertifikaten mit Bot-Software

(currently only in German)

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies