You are located in service: Certificates

Apply for a server certificate

Apply for a server certificate

Kurzinformation

This short guide is only intended to give you an overview of the certification process and is divided into the following sections:

  • Installation OpenSSL
  • Generate a certificate request using an existing RSA key and certificate
  • Generation of a new RSA key pair (e.g. Modulo 3072 bit length)
  • Generation of a new certificate application (CSR)
  • Upload of the certificate application - Generation of participant declaration
  • Obtaining the certificate
  • Integration of the certificate into the server
    • Apache
    • lighttpd
    • Microsoft IIS
 

SSL server certificates can only be issued for servers of official institutions of the RWTH Aachen University.

The RWTH must be assigned 

  • IP address and/or
  • FQDN
The SSL key components do not have to be created directly on the server, but can be generated on a separate computer and then transferred (no need to install OpenSSL on the server) 

 Detailinformation

Installing OpenSSL

The command line tool OpenSSL should be pre-installed on all Unix and Linux based operating systems.

On Windows, OpenSSL must be installed and configured separately to perform the necessary key operations.

OpenSSL is available for download at the following URLs:

Please refer to the separate installation instructions on the OpenSSL page. In particular, it may be necessary to install a version of the VC++ redistributables that is compatible with OpenSSL. This is explained on the OpenSSL (binaries für Windows) website.

Furthermore, the environment variable "HOME" should be set or adapted, e.g:

HOME=c:\openssl\bin

The variable "RANDFILE" must also be set:

RANDFILE=%HOME%\.rnd

If an adapted version of the "openssl.cfg" are used, this can also be defined via an environment variable, e.g:

OPENSSL_CONF = %HOME%\openssl.cfg

If access violations occur when running OpenSSL (e.g. "private.pem: Permission denied ..."), please note that the command line interpreter used, e.g. Command Prompt and Powershell, or users must have appropriate access rights to the specified files.

 

Generate a certificate request using an existing RSA key and certificate

openssl x509 -x509toreq -in cert.crt -signkey private.pem -out new_request.pem openssl req -noout -text -in request.pem

Generation of a new RSA key pair (e.g. Modulo 3072 bit length)

openssl genrsa -out private.pem 3072

Further information on recommended key lengths can be found in the BSI Technical Guidelines or on the "CCryptographic Key Length Recommedation" website

 

Generation of a new certificate application (CSR)

openssl req -new -key private.pem -out request.pem

 #!/usr/bin/env bash

set -e

set -u

# set -x

readonly KEY_SIZE="4096"

readonly SERVER_PORT="443"

VHOST=""

CERT_SUBJECT=""

SUBJECT_ALTERNATIVE_NAME=""

usage() {

    cat << EOF

    ${0} SERVER_FQDN|SERVER_IP [VHOST_NAME]

    Create a new private key but use an existing

        certificate as template for a new certificate

    signing request.

    The intention is to renew a certificate gently.

EOF

}

##################################

# check number of given arguments

if [[ $# -lt 1 ]]; then

    usage

    exit

elif [[ $# -eq 1 ]]; then

    VHOST="${1}"

else

    VHOST="${2}"

fi

##################################

# let's start

echo -e "\n\tCreate a new private key but use an existing\n\tcertificate as template for a new certificate\n\tsigning request.\n\n"

##################################

# create private key

echo -e "\n\t\t- create private key if needed"

if [[ ! -f ${1}.key ]]; then

    openssl genrsa -out ${1}.key ${KEY_SIZE} &> /dev/null

else

    echo

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!"

    echo -e "\t\t  !! reuse existing key !!"

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!"

fi

##################################

# get needed information from

# existing certificate

if ping -c3 ${1} &>/dev/null; then

    echo -e "\n\t\t- get x509 subject informartion"

    CERT_SUBJECT="$(echo QUIT | openssl s_client -servername ${VHOST} -connect ${1}:${SERVER_PORT} 2>/dev/null | \

            fgrep subject | sed -e 's/^subject=//')"

    echo -e "\n\t\t- get x509 alternatvie names"

    SUBJECT_ALTERNATIVE_NAME="$(echo QUIT | openssl s_client -servername ${VHOST} -connect ${1}:${SERVER_PORT} 2>/dev/null | \

                openssl x509 -noout -text| fgrep "DNS:" | sed -e 's/\s\s*//g')"

else

    echo ""

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

    echo -e "\t\t  !! No contact to server via ICMP !!"

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"

    exit

fi

##################################

# generate CSR

echo -e "\n\t\t- create certificat signing request"

if [[ ! -f ${1}.key ]]; then

    echo ""

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

    echo -e "\t\t  !! The private key was not generated !!"

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"

    exit

fi

if [[  -f ${1}.csr ]]; then

    echo ""

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

    echo -e "\t\t  !! found a csr for this server !!"

    echo -e "\t\t  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"

    exit

fi

openssl req -new -key ${1}.key -out ${1}.csr -batch -subj "${CERT_SUBJECT}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=${SUBJECT_ALTERNATIVE_NAME}"))

##################################

# show generated CSR

echo -e "\n"

openssl req -in ${1}.csr -noout -text

########

# EOF

Please note the following attributes (detailed information in the certification guideline of the DFN-PKI):

 
AttributeAbbreviationExamplesRemarks
Country NameCDEplease use capital letters
State or Province NameSTNordrhein-WestfalenNote the exact spelling!
Locality NameLAachenNote the exact spelling!
Organization NameORWTH AachenNote the exact spelling!
Organizational Unit NameOU

IT Center

Chair D for Mathematics

General Student Committee (AStA)

student dorm KaWo1

Official name of the institution. No umlauts. None e.V.s (legal persons).

Abbreviations in brackets permitted, e.g. Aachener Verfahrenstechnik (AVT.BioVT).

Several OUs are allowed, these must be listed directly one after the other and the order of the named organizational subunits should descend from larger to smaller subunits.

Common NameCNwww.rz.rwth-aachen.de

pop3.test.rwth-aachen.de

Name of the server as it is entered in the DNS. Other names should be entered as subjectAlternativeName (SaN).
 

Since December 2, 2014, e-mail is NOT allowed as part of the DN of a server certificate (request of the CA/Browser Forum).

Please enter the e-mail address in the web interface where you would like to receive notifications from the DFN-PKI or the RWTH Aachen CA (e.g. the certificate, expiry reminders). It is recommended to use a functional e-mail address.

If you have entered an e-mail address in the CSR, it will be automatically deleted from the DN.

Prefer the specification of only one CN. If several FQDNs must be covered by the same certificate, these should be entered as subjectAltNames. You can achieve this with the following OpenSSL command under Unix/Linux:

openssl req -new -key private.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=IT Center/CN=name.rwth-aachen.de" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:name1.rwth-aachen.de,DNS:name2.rwth-aachen.de"))

Windows users have to do some preliminary work:
 

  • generate csr.conf file, enter the following

    prompt = no

    distinguished_name = req_distinguished_name

    req_extensions = req_ext

     

    [req_distinguished_name]

    C=DE

    ST=Nordrhein-Westfalen

    L=Aachen

    O=RWTH Aachen

    OU=IT Center

    CN=name1.domain.rwth-aachen.de

     

    [req_ext]

    subjectAltName = @alt_names

     

    [alt_names]

    DNS.1 = name1.domain.rwth-aachen.de

    DNS.2 = name2.domain.rwth-aachen.de

  • now give the OpenSSL command
     

    openssl req -new -key private.pem -config csr.conf -out request.pem

 

Upload of the certificate application - Generation of participant declaration

To apply for your SSL Certificate, you must submit your Certificate Application (CSR) via the DFN Certification Web site. To do this, open the DFN web service, section Server Certification (information on selecting the correct certificate profile can be found on the DFN overview page).

Fill out the form completely and follow the instructions of the web service.

Upload the certificate request (CSR) you generated

Upload Serverzertifikat 1

Enter your full name as it appears on your identity card. No functional name is allowed here. The person signing the application must be a natural person and not an institute or department.

Upload Serverzertifikat 2

Enter an e-mail address. Both the issued certificate and any notifications from DFN will be sent to this e-mail address.


Upload Serverzertifikat 3

Enter your institute/institution (organizational unit). The name must not be abbreviated, but must be entered in full. You can find the full name of the institute/organization on campus.

However, this entry is optional: If you do not belong to an institute/organisation and, for example, want to apply for a certificate as a student of the RWTH Aachen University, please leave this field blank (do not enter RWTH Aachen University as institute/organisation).

Upload Serverzertifikat 4

Finally, enter a password. Make sure that it is secure.

Publication of the certificate is optional, we recommend that you agree to this.

The web service generates a participant declaration in PDF format from your details. This must be printed out.

  • The signed declaration can either be handed in personally at the IT-ServiceDesk (location SuperC, Seffenter Weg 23 or Wendlingweg 10) or transmitted in the ways described here. As an identity check is carried out, a valid photo document (e.g. identity card) must be presented.
  • In the case of server certificates, the application can also be submitted by an authorised person via another route. The applicant sends the signed declaration of participation for server certificates in a signed and encrypted e-mail to ra@rwth-aachen.de.
 

If you have made a mistake when generating the certificate application, the RWTH registration office can correct it without having to upload the application again in the web interface. Please send a signed e-mail to rra@rwth-aachen.de. If you have entered something inadmissible in the request, you will be contacted by the RWTH RA.

 

Receiving the certificate

After we have received your participant declaration, the certification will be arranged. Once this process is complete, you will receive your server certificate as a PEM formatted file via signed e-mail from "dfnpki-mailsender-noreply@dfn-cert.de".

 

Integration of the certificate into the server

Basically, with the two files formatted as PEM (private key part and certificate) as well as the three root certificates (currently "T-TeleSec GlobalRoot Class 2", ""DFN-Verein Certification Authority 2" and "DFN-Verein Global Issuing CA"), which can be downloaded from the Certificate Chain page of the DFN-PKI, you have all the data required to set up an SSL-secured server. Depending on the server software used, however, these files must be converted into other formats.

If the certificate is required in ASCII format, i.e. as a PEM file, the conversion from the original binary format DER is done as follows:

 openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

 

Apache

Apache uses PEM formatted key parts, so you can easily integrate your key parts. In the "httpd.conf" the following points are especially important:

    • SSLCertificateFile:
      Your server certificate, as you received it by e-mail
    • SSLCertificateKeyFile:
      Your private key part, as you created it in step "Generating the RSA key pair
    • SSLCertificateChainFile:
      The complete certification chain as PEM formatted file
    • If a user authentication via certificate is to take place:
      SSLCACertificateFile:
      A CA certificate must be specified here as a PEM formatted file
      Should users from other institutions as well as the RWTH CA be authenticated, then
      SSLCACertificatePath must be used.

lighttpd

Like Apache, lighttpd uses key components in PEM format, so no format conversions are necessary. In the configuration, the following points are particularly important:

    • ssl.engine = "enable"
    • ssl.pemfile:
    • Combination of the private key part ("private.pem" from step "Generation of the RSA key pair") and the server certificate received by e-mail. (e.g. via "cat private.pem cert-<serial number>.pem > server.pem")
    • ssl.ca-file:
      The complete certification chain as PEM formatted file

Microsoft IIS

In order to use your certificate, the three root certificates must first be integrated in binary format (please open the following links with InternetExplorer for import ,DFN-Verein Global Issuing CADFN-Verein Certification Authority 2T-TeleSec GlobalRoot Class 2. Afterwards a "pkcs12" file must be created from your private key part and your server certificate. This can be done with OpenSSL:

openssl pkcs12 -export -in cert-<Seriennummer>.pem –inkey private.pem -out Ihre_neue_PKCS12_Datei.p12 -name "My Certificate"

Use the server certificate issued by us as "cert-<serial number>.pem". The file "private.pem" must correspond to your private key part from the step "Generation of the RSA key pair". The newly created file "Your_new_PKCS12_file.p12" can then be imported into your server software.

last changed on 23.04.2021

How did this content help you?