With OpenSSL/LibreSSL
1. generate RSA keys
| PRIVATE_KEY_FILE | Name of the file for the RSA key pair, incl. private key | e.g. "private.key |
| KEY_LENGTH | Length of the RSA key | at least 2048 bit |
| openssl genrsa -out $PRIVATE_KEY_FILE $KEY_LENGTH chmod 400 $PRIVATE_KEY_FILE |
2. generate Certificate Signing Request (CSR)
| CERTIFICATE_SIGNING_REQUEST | CSR file name. | e.g."request.pem" |
| ORGANISATION | Name of the organizational unit within the RWTH | e.g. "IT Center" |
| FORENAME | First name(s) | e.g. "Max Udo" |
| SURNAME | Last name(s) | e.g. "Mustermann" |
| EMAIL_ADDRESS_1 | primary email address | e.g.. "mustermann@itc.rwth-aachen.de" |
| EMAIL_ADDRESS_2 | further e-mail address within the above organizational unit | e.g."mustermann@rz.rwth-aachen.de" |
Create a CSR for a single e-mail address:
openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME/GN=$FORENAME/SN=$SURNAME/emailAddress=$EMAIL_ADDRESS_1" |
Create a CSR with multiple email addresses:
| openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME/GN=$FORENAME/SN=$SURNAME" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=email:$EMAIL_ADDRESS_1,email:$EMAIL_ADDRESS_2")) |
3. check Certificate Signing Request
| openssl req -text -noout -in $CERTIFICATE_SIGNING_REQUEST |
4. submit certificate application (here without pictures or detailed instructions)
- Open the DFN-PKI web portal in the browser of your choice (not IE).
- Select the "Upload CSR (PKCS#10) file" box.
- Select certificate profile "User".
- Select "Browse" to upload your "CSR (PKCS#10) file", this is the $CERTIFICATE_SIGNING_REQUEST file generated above.
- "Your data" is the the data about the applicant.
- The "Revocation PIN" is needed for possible revocation of the issued certificate.
- "Publication of the certificate" is optional, used for storing your issued user certificate in the DFN-PKI LDAP server.
- Saving the .json file is not necessary, as your RSA keys were not generated by the browser.
- Save/print the .pdf file, read, date and sign it.
- Submit your certificate application (.pdf) for personal ID check to the RWTH registration authority.
5. receiving your user certificate
You will receive a digitally signed e-mail (sender: dfnpki-mailsender-noreply@dfn-cert.de) with a link to pick up your certificate.
This email also contains your user certificate as a .pem file. Save this file locally.
| CERTIFICATE_FILE | Name of the file with the issued certificate | e.g. cert-1234567890.pem |
Public RSA Key in certificate should match your stored public key:
| (openssl rsa -noout -modulus -in $PRIVATE_KEY_FILE | openssl md5; openssl x509 -noout -modulus -in $CERTIFICATE_FILE | openssl md5) | uniq |
Check the Attributes of your user certificate:
| openssl x509 -in $CERTIFICATE_FILE -text -noout |
6. create your .p12-file
You will need to create a .p12-file, containing your user certificate ($CERTIFICATE_FILE) and your RSA keys ($PRIVATE_KEY_FILE), to be able to import those in various applications that generate cryptographic signatures. The .p12-file should be kept secure and remain in your possession for a long time.
| EXPORT_FILE | Name of the .p12 file | e.g. mustermann_itc_20221007.p12 |
| chain.txt | File with the certificate chain of the DFN-PKI. Download here. |
| wget https://pki.pca.dfn.de/dfn-ca-global-g2/pub/cacert/chain.txt openssl pkcs12 -export -out $EXPORT_FILE -inkey $PRIVATE_KEY_FILE -in $CERTIFICATE_FILE -certfile chain.txt |
7. Use your .p12-file
Depending on the desired usage (digitally signing e-mails or PDF documents) your EXPORT_FILE should be imported into the certificate store of the respective application, e.g..
- Thunderbird
- Outlook
- Adobe Acrobat
- JSignPDF
