Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
en:services:it_security:pki:start [2019/08/30 08:51]
thinder [The old way]
en:services:it_security:pki:start [2020/03/16 12:01]
thinder [The new way]
Line 4: Line 4:
  
  
-Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to <support@gwdg.deor use the GWDG [[https://www.gwdg.de/support|support form]].+Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de?subject=Question(s) about certificate(s)&body=Ladies and gentlemen,%0A%0AI have the following question(s) about certificate(s):%0A%0A|support@gwdg.de]] or use the GWDG [[https://www.gwdg.de/support|support form]].
  
 ===== Application for personal email certificate ===== ===== Application for personal email certificate =====
Line 14: Line 14:
 Please refer to the browser recommendations for the two ways to apply for a certificate Please refer to the browser recommendations for the two ways to apply for a certificate
  
-<wrap em>__**From 2 September 2019**__</wrap> the [[en:services:it_security:pki:start#the_new_way|new application route]] will be the primary way to apply for user certificates. The [[en:services:it_security:pki:start#the_old_way|current route]] will then only be reserved for Microsoft Internet Explorer.+<wrap em>__**Since 2 September 2019**__</wrap> the [[en:services:it_security:pki:start#the_new_way|new application route]] will be the primary way to apply for user certificates. The [[en:services:it_security:pki:start#the_old_way|current route]] will then only be reserved for Microsoft Internet Explorer.
 </WRAP> </WRAP>
 ==== Select a  Registration Authority (RA) ==== ==== Select a  Registration Authority (RA) ====
Line 28: Line 28:
 </WRAP> </WRAP>
  
-===== The old way ===== 
  
-<WRAP center round important 60%> +===== The new way =====
-<wrap em>From September 2nd, the old way will be available to Microsoft Internet Explorer for reasons of compatibility +
-</wrap> +
-</WRAP>+
  
 <WRAP center round info 60%> <WRAP center round info 60%>
-All other browsers do not support the generation of private keys((An unsupported or obsolete function!))!+For Microsoft Internet Explorer, see [[en:services:it_security:pki:start#the_old_way| the old way]].
 </WRAP> </WRAP>
  
 +{{:en:services:it_security:pki:email_1.1_nachtrag_01_en.png?800|}}
  
-Three steps to the application: +{{:en:services:it_security:pki:email_1.1_nachtrag_02_en.png?800|}}
-{{:de:services:it_security:pki:gwdgcade1.png?200|1 step: Fill out form}} {{:de:services:it_security:pki:gwdgcade2.png?200|2 step: confirm details}} {{:de:services:it_security:pki:gwdgcade3.png?200|3 step: Download the application in PDF format}}+
  
-At the end of the application, please download the generated PDF file.+{{:en:services:it_security:pki:email_1.1_nachtrag_03_en.png?800|}}
  
-Please the printed certificate request under slices by hand.+{{:en:services:it_security:pki:email_1.1_nachtrag_04_en.png?800|}}
  
-With the application signed by you please go to the relevant RA operator in your institution.+{{:en:services:it_security:pki:email_1.1_nachtrag_05_en.png?800|}}
  
-Hold your valid identity card for personal identification.+With the application you signed, please go to the responsible RA operator in your institute.
  
-After the carried out personal identification and verification of the certificate request the competent RA operator will issue your certificate request.+For personal identification, please have your valid ID.
  
-You will receive an email to your personal email certificate with your certificate in the annex.+After personal identification and verification of the certificate application, the responsible RA operator will issue your certificate application. 
 + 
 +You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.
  
 <WRAP center round info 60%> <WRAP center round info 60%>
-For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the [[https://www.gwdg.de/documents/20182/27257/GN_Special_01-2014_www.pdf/69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%> +For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following documents: 
-(currently only in German) +  - [[https://www.gwdg.de/documents/20182/27257/GN_12-2019_www.pdf#page=9|GWDG Nachrichten 12|19]] 
-</WRAP> +  - [[https://www.gwdg.de/documents/20182/27257/GN_1-2-2020_www.pdf#page=14|GWDG Nachrichten 1-2|20]] 
- +  - [[https://www.gwdg.de/documents/20182/27257/GN_3-2020_www.pdf#page=6|GWDG Nachrichten 3|20]]
-</WRAP> +
- +
-===== The new way =====+
  
 <WRAP center round important 60%> <WRAP center round important 60%>
-From 2 September 2019, the new way to apply for user certificates for the modern web browsers from Firefox version 69 as well as Chrome, Opera and Safari will be available. </WRAP> +(currently only in German)
- +
-<WRAP center round info 60%> +
-Mobile web browsers on Android and iOS devices are supported.+
 </WRAP> </WRAP>
  
-<WRAP center round info 60%> 
-For Microsoft Internet Explorer, see [[en:services:it_security:pki:start#the_old_way| the old way]]. 
 </WRAP> </WRAP>
  
-<WRAP center round important 60%> 
-<wrap em>Attention! because microsoft edge causes a number of difficulties this web browser is not supported at the start time.  
-</wrap></WRAP> 
  
-<WRAP center round todo 60%> +===== The old way =====
-**Instructions are in the build-up phase** +
-</WRAP> +
- +
-The home page of the browser memory is displayed. Please click on the link "Certificates" +
- +
-{{ :de:services:it_security:pki:dfn-pki-neu_browser_speicher_wird_angezeigt.png?direct&200 |}}+
  
 <WRAP center round info 60%> <WRAP center round info 60%>
-private key is generated locally and stored in your browser storage as website data.  +All other browsers no longer support the generation of private keys((An unsupported or obsolete function!))!
- +
-<WRAP center round important 60%> +
-<wrap em>Important: If you delete the site data (also known as "Chronicle" or "History"before the certificate is issued, the data is irretrievably lost and the process must be repeated. In another browser, the data is also not available. +
-</wrap></WRAP> +
 </WRAP> </WRAP>
  
  
-If a Browser Soeicher has not yet been created for this web browser, a password must be entered to protect the browser's memory. Clicking on the "Next" button displays the existing Broweser memory.+Three steps to the application:
  
-{{ :de:services:it_security:pki:dfn-pki-neu_browser_speicher_wird_erstellt.png?200 |}} +1
-{{ :de:services:it_security:pki:dfn-pki-neu_browser_speicher_schutz_mit_kennwort.png?200 |}}+{{:de:services:it_security:pki:gwdgcade1.png?800|1 step: Fill out form}} 
  
 +2.
 +{{:de:services:it_security:pki:gwdgcade2.png?800|2 step: confirm details}} 
  
-Once the browser memory has been created, the browser memory is displayed after entering the previously assigned password and clicking on the "Next" button.+3. 
 +{{:de:services:it_security:pki:gwdgcade3.png?800|3 step: Download the application in PDF format}}
  
-{{ :de:services:it_security:pki:dfn-pki-neu_browser_speicher_oeffnen.png?200 |}}+At the end of the application, please download the generated PDF file.
  
-In the browser store, issued certificates can be managed or new ones can be applied for.+Please the printed certificate request under slices by hand.
  
-{{ :de:services:it_security:pki:dfn-pki-neu_zertsverw-oder-neuen_antrag_stellen.png?200 |}}+With the application signed by you please go to the relevant RA operator in your institution.
  
-With the link "Apply for a new certificate" a new user certificate is requested and submitted with the click on the "Next" button.+Hold your valid identity card for personal identification.
  
-{{ :de:services:it_security:pki:dfn-pki-neu_csr_eingereichen.png?200 |}}+After the carried out personal identification and verification of the certificate request the competent RA operator will issue your certificate request.
  
-By clicking on "View Certificate Request" open the PDF file in a PDF program, print it out and sign it by hand.+You will receive an email to your personal email certificate with your certificate in the annex.
  
-{{ :de:services:it_security:pki:dfn-pki-neu_csr_eingereicht.png?200 |}}+<WRAP center round info 60%> 
 +For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following documents: 
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_12-2019_www.pdf#page=9|GWDG Nachrichten 12|19]] 
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_1-2-2020_www.pdf#page=14|GWDG Nachrichten 1-2|20]] 
 +  - [[https://www.gwdg.de/documents/20182/27257/GN_3-2020_www.pdf#page=6|GWDG Nachrichten 3|20]]
  
-With the application you signed, please go to the responsible RA operator in your institute. +<WRAP center round important 60%>
- +
-For personal identification, please have your valid ID. +
- +
-After personal identification and verification of the certificate application, the responsible RA operator will issue your certificate application. +
- +
-You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued. +
- +
-<WRAP center round info 60%> +
-For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the [[https://www.gwdg.de/documents/20182/27257/GN_Special_01-2014_www.pdf/69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%>+
 (currently only in German) (currently only in German)
 </WRAP> </WRAP>
  
 </WRAP> </WRAP>
- 
  
 ===== Apply for server certificate ===== ===== Apply for server certificate =====
Line 152: Line 125:
 <code powershell createcsr.bat>openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</code> <code powershell createcsr.bat>openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</code>
  
-Then you proceed application from step 2 of the section [[#application_for_personal_email_certificate|application for personal email certificate]], choose of a suitably competent RA. +After that, proceed with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on "upload for Servers".
 ===== Apply for server certificate with OpenSSL.cnf ===== ===== Apply for server certificate with OpenSSL.cnf =====
  
Line 171: Line 143:
 <code powershell createcsr.bat>openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</code> <code powershell createcsr.bat>openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</code>
  
-Then you proceed application from step 2 of the section [[#application_for_personal_email_certificate|application for personal email certificate]], choose of a suitably competent RA. +After that, proceed with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on "upload for Servers".
 ===== Sample files for OpenSSL.cnf ===== ===== Sample files for OpenSSL.cnf =====