You are located in service: Certificates

With OpenSSL/LibreSSL

With OpenSSL/LibreSSL

Detailinformation

  1. generate RSA Schlüssel key

    PRIVATE_KEY_FILEfile name for the private RSA keye.g. private.key

    KEY_LENGHT

    length of the RSA keyminimum 2048 bit

    openssl genrsa -out $PRIVATE_KEY_FILE $KEY_LENGHT chmod 400 $PRIVATE_KEY_FILE

  2. create certificate signing request

    PRIVATE_KEY_FILE

    file name containing the private RSA key 

    CERTIFICATE_SIGNING_REQUEST

    file name for the certificate signing requeste.g.. user.csr

    ORGANISATION

    organization namee.g.. IT Center

    FORENAME

    first name(s)e.g. John
    SURNAMEsurnamee.g. Doe
    EMAIL_ADDRESS_1primary e-mail address 
    EMAIL_ADDRESS_2 ...additional e-mail address(es) 
    1. one e-mail address

      openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME/emailAddress=$EMAIL_ADDRESS_1"

    2. multiple e-mail addresses

      openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=email:$EMAIL_ADDRESS_1,email:$EMAIL_ADDRESS_2"))

  3. check the certificate signing request

    CERTIFICATE_SIGNING_REQUEST

    file name containing the certificate signing requeste.g. user.csr

     openssl req -text -noout -in $CERTIFICATE_SIGNING_REQUEST

  4. submit certificate signing request
    • go to the DFN website for server certificates in the browser of your choice
    • just enter there

      PKCS#10-Zertifikatantrag

      $CERTIFICATE_SIGNING_REQUEST

      ZertifikatprofilUser
      Name (Vor- und Nachname)

      $FORENAME $SURNAME

      E-Mail

      $EMAIL_ADDRESS_1

      Institut/Einrichtung

      $ORGANISATION

      PINrandom number, for example to revoke the certificate
      Verpflichtungcheck
      Veröffentlichungcheck if wanted, user certificate can be found using the DFN address book

       Openssl

    • confirm this information if correct on the following page
  5. the PDF file "Zertifikatsantrag auf Nutzerzertifikat"

    1. will be made available for download after confirmation of the informationlt
    2. must be printed out and signed by hand
    3. can be submitted personally to a named location upon presentation of a photo ID
  6. as soon as the RWTH-CA has checked the printed PDF document, it issues the order to create the certificate as part of the DFN-PKI
  7. the user will receive an E-Mail addressed to EMAIL_ADDRESS_1 with the certificate attached
  8. check whether the certificate matches your own/private key

    PRIVATE_KEY_FILE

    file name containing private RSA key

    CERTIFICATE_FILE

    file name containing the certificate

    (openssl rsa -noout -modulus -in $PRIVATE_KEY_FILE | openssl md5; openssl x509 -noout -modulus -in $CERTIFICATE_FILE | openssl md5) | uniq

  9. create export/.p12 file

    EXPORT_FILE

    file name for the export/.p12 filee.g. $SURNAME.p12

    PRIVATE_KEY_FILE

    file name containing the private RSA key 

    CERTIFICATE_FILE

    file name containing the certificate 

    chain.txt

    file name containing the DNF-PKI key chain 
    • without key chain

       openssl pkcs12 -export -out $EXPORT_FILE -inkey $PRIVATE_KEY_FILE -in $CERTIFICATE_FILE

    • with key chain

      wget https://pki.pca.dfn.de/dfn-ca-global-g2/pub/cacert/chain.txt openssl pkcs12 -export -out $EXPORT_FILE -inkey $PRIVATE_KEY_FILE -in $CERTIFICATE_FILE -certfile chain.txt

  10. depending on the application request (signing an e-mail or PDF document), this EXPORT_FILE can be imported into the certificate store of the respective program, e.g.
    • Thunderbird
    • Outlook
    • Adobe Acrobat
    • JSignPDF

last changed on 29.01.2021

How did this content help you?