Apply for a server certificate
This short guide is only intended to give you an overview of the certification process and is divided into the following sections:
- Installation OpenSSL
- Generate a certificate request using an existing RSA key and certificate
- Generation of a new RSA key pair (e.g. Modulo 3072 bit length)
- Generation of a new certificate application (CSR)
- Upload of the certificate application - Generation of participant declaration
- Obtaining the certificate
- Integration of the certificate into the server
- Microsoft IIS
SSL server certificates can only be issued for servers of official institutions of the RWTH Aachen University.
The RWTH must be assigned
|The SSL key components do not have to be created directly on the server, but can be generated on a separate computer and then transferred (no need to install OpenSSL on the server)|
The command line tool OpenSSL should be pre-installed on all Unix and Linux based operating systems.
On Windows, OpenSSL must be installed and configured separately to perform the necessary key operations.
OpenSSL is available for download at the following URLs:
Please refer to the separate installation instructions on the OpenSSL page. In particular, it may be necessary to install a version of the VC++ redistributables that is compatible with OpenSSL. This is explained on the OpenSSL (binaries für Windows) website.
Furthermore, the environment variable "HOME" should be set or adapted, e.g:
The variable "RANDFILE" must also be set:
If an adapted version of the "openssl.cfg" are used, this can also be defined via an environment variable, e.g:
OPENSSL_CONF = %HOME%\openssl.cfg
If access violations occur when running OpenSSL (e.g. "private.pem: Permission denied ..."), please note that the command line interpreter used, e.g. Command Prompt and Powershell, or users must have appropriate access rights to the specified files.
Generate a certificate request using an existing RSA key and certificate
openssl x509 -x509toreq -in cert.crt -signkey private.pem -out new_request.pem openssl req -noout -text -in request.pem
Generation of a new RSA key pair (e.g. Modulo 3072 bit length)
openssl genrsa -out private.pem 3072
Generation of a new certificate application (CSR)
openssl req -new -key private.pem -out request.pem
Please note the following attributes (detailed information in the certification guideline of the DFN-PKI):
|Country Name||C||DE||please use capital letters|
|State or Province Name||ST||Nordrhein-Westfalen||Note the exact spelling!|
|Locality Name||L||Aachen||Note the exact spelling!|
|Organization Name||O||RWTH Aachen||Note the exact spelling!|
|Organizational Unit Name||OU|
Chair D for Mathematics
General Student Committee (AStA)
student dorm KaWo1
Official name of the institution. No umlauts. None e.V.s (legal persons).
Abbreviations in brackets permitted, e.g. Aachener Verfahrenstechnik (AVT.BioVT).
Several OUs are allowed, these must be listed directly one after the other and the order of the named organizational subunits should descend from larger to smaller subunits.
|Name of the server as it is entered in the DNS. Other names should be entered as subjectAlternativeName (SaN).|
Since December 2, 2014, e-mail is NOT allowed as part of the DN of a server certificate (request of the CA/Browser Forum).
Please enter the e-mail address in the web interface where you would like to receive notifications from the DFN-PKI or the RWTH Aachen CA (e.g. the certificate, expiry reminders). It is recommended to use a functional e-mail address.
If you have entered an e-mail address in the CSR, it will be automatically deleted from the DN.
Windows users have to do some preliminary work:
Upload of the certificate application - Generation of participant declaration
To apply for your SSL Certificate, you must submit your Certificate Application (CSR) via the DFN Certification Web site. To do this, open the DFN web service, section Server Certification (information on selecting the correct certificate profile can be found on the DFN overview page).
Fill out the form completely and follow the instructions of the web service.
Upload the certificate request (CSR) you generated
Enter your full name as it appears on your identity card. No functional name is allowed here. The person signing the application must be a natural person and not an institute or department.
Enter an e-mail address. Both the issued certificate and any notifications from DFN will be sent to this e-mail address.
Enter your institute/institution (organizational unit). The name must not be abbreviated, but must be entered in full. You can find the full name of the institute/organization on campus.
However, this entry is optional: If you do not belong to an institute/organisation and, for example, want to apply for a certificate as a student of the RWTH Aachen University, please leave this field blank (do not enter RWTH Aachen University as institute/organisation).
Finally, enter a password. Make sure that it is secure.
Publication of the certificate is optional, we recommend that you agree to this.
The web service generates a participant declaration in PDF format from your details. This must be printed out.
- The signed declaration can either be handed in personally at the IT-ServiceDesk (location SuperC, Seffenter Weg 23 or Wendlingweg 10) or transmitted in the ways described here. As an identity check is carried out, a valid photo document (e.g. identity card) must be presented.
- In the case of server certificates, the application can also be submitted by an authorised person via another route. The applicant sends the signed declaration of participation for server certificates in a signed and encrypted e-mail to email@example.com.
If you have made a mistake when generating the certificate application, the RWTH registration office can correct it without having to upload the application again in the web interface. Please send a signed e-mail to firstname.lastname@example.org. If you have entered something inadmissible in the request, you will be contacted by the RWTH RA.
Receiving the certificate
After we have received your participant declaration, the certification will be arranged. Once this process is complete, you will receive your server certificate as a PEM formatted file via signed e-mail from "email@example.com".
Integration of the certificate into the server
Basically, with the two files formatted as PEM (private key part and certificate) as well as the three root certificates (currently "T-TeleSec GlobalRoot Class 2", ""DFN-Verein Certification Authority 2" and "DFN-Verein Global Issuing CA"), which can be downloaded from the Certificate Chain page of the DFN-PKI, you have all the data required to set up an SSL-secured server. Depending on the server software used, however, these files must be converted into other formats.
If the certificate is required in ASCII format, i.e. as a PEM file, the conversion from the original binary format DER is done as follows:
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
Apache uses PEM formatted key parts, so you can easily integrate your key parts. In the "httpd.conf" the following points are especially important:
Your server certificate, as you received it by e-mail
Your private key part, as you created it in step "Generating the RSA key pair
The complete certification chain as PEM formatted file
- If a user authentication via certificate is to take place:
A CA certificate must be specified here as a PEM formatted file
Should users from other institutions as well as the RWTH CA be authenticated, then
SSLCACertificatePath must be used.
Like Apache, lighttpd uses key components in PEM format, so no format conversions are necessary. In the configuration, the following points are particularly important:
- ssl.engine = "enable"
- Combination of the private key part ("private.pem" from step "Generation of the RSA key pair") and the server certificate received by e-mail. (e.g. via "cat private.pem cert-<serial number>.pem > server.pem")
The complete certification chain as PEM formatted file
In order to use your certificate, the three root certificates must first be integrated in binary format (please open the following links with InternetExplorer for import ,DFN-Verein Global Issuing CA, DFN-Verein Certification Authority 2, T-TeleSec GlobalRoot Class 2. Afterwards a "pkcs12" file must be created from your private key part and your server certificate. This can be done with OpenSSL:
openssl pkcs12 -export -in cert-<Seriennummer>.pem –inkey private.pem -out Ihre_neue_PKCS12_Datei.p12 -name "My Certificate"
Use the server certificate issued by us as "cert-<serial number>.pem". The file "private.pem" must correspond to your private key part from the step "Generation of the RSA key pair". The newly created file "Your_new_PKCS12_file.p12" can then be imported into your server software.