Server certificate application

Server certificate application

Server certificates can be applied via web interface in the institutes and facilities (organizational units). For this you need  

 

  • a functioning OpenSSL installation to generate the key.

  • a digital PKCS#10 certificate application in PEM-Format.

  • the printed and signed online application.

To top

OpenSSL

OpenSSL is delivered with most of the Linux distributions as complete package. As long as you rely on a Windows operating system, you will find a Windows installation package, too. OpenSSL is a tool box with different programs e.g. for creating and editing electronic certificate applications and certificates. All OpenSSL programs are command line orientated, which means that there is no graphical interface. You need a command window (CMD.EXE) under Windows as well.

To top

PKCS#10 certificate application

The Certficate Signing Request (CSR) contains following information

 

  • A string, also called Distinguished Name (DN), which identifies the server clearly and matches an organizational unit of the UniKassel. Example C="DE", O="Universitaet Kassel", OU="IT Service Center", CN="www.uni-kassel.de"

    • The UniKassel-CA can only issue certificates with C=“DE“, O=“Universitaet Kassel“.
    • OU (organizational unit) are those organizational units, which operate the server. If it comes to choose the string for OU you are limited. It should contain the official organization or institution name.

    • Mutations and commas should not be used. For further questions and requirements, please get in touch with the UniKassel-CA (term list).

    • CN is the Common Name, which means the complete DNS name for a server (Fully Qualified Domain Name, FQDN). Every web browser will check, if the Common Name matches with shown certificate.

    • Every web browser will check, if the Common Name in the presented certificate concurs with the URL that has been called up. Otherwise a certificate warning will pop up.

  • the public key, which has been created by yourself personally as one of the generated key pair.

The content-related structure for this electronic certificate application is standardized as PKCS#10. There are two alternatives for the data format, a binary format (DER) or a printable format PEM. In the printable PEM format data can be viewed in an editor and sent via mail.

For creating a certificate application, choose a trustworthy computer to generate a key pair out of a secret (private key) and a public key. The secret key may not be allowed to fall into the wrong hands!

With OpenSSL you generate the certificate application with following command. For that the whole command should be in a line. For ensuring a better overview line breaks are included. It is recommended to set up a command data (shell-script, CMD/BAT-data) with the command (if you mistype).

[Translate to english:] Beispiel

[Translate to english:] # Serverkey ohne Passwort erzeugen
openssl genrsa -out server-ohne-passphrase.key 4096

# Key/Infos anzeigenlassen
openssl rsa -noout -text -in server-ohne-passphrase.key

# *.csr / Antrag für CA erzeugen
# Dieses *.csr wird über das Webinterface an die CA geschickt
openssl req -new -key server-ohne-passphrase.key -out server.csr

# Country Name (2 letter code) [AU]:DE
# State or Province Name (full name) [Some-State]:Hessen
# Locality Name (eg, city) []:Kassel
# Organization Name (eg, company) [Internet Widgits Pty 
Ltd]:Universitaet Kassel
# Organizational Unit Name (eg, section) []:Orga-Einheit
# Common Name (eg, YOUR name) []: DOMAINNAME
# Email Address []: ADMIN-EMAIL

# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:

Explanations (see also req man page):

  • openssl reg invokes the subcommand, which is used for generating and editing certificate applications.

  • -batch effects the execution in the non-interactive mode.

  • -sha1 gives the output of the SHA1 checksum (fingerprint) of the certificate application

  • Newkey 2048: rsa generates a new key pair with 2048 bit width according to the RSA procedure

  • -passout pass:secret is responsible that the secret key is encoded secretly with the password. Please choose a different and better password for this. However, it depends on the configuration of the web server, if the secret key can stay encrypted. If the secret key exists, the web browser cannot be started any longer without manual entries. This password has to be entered always on your next login.

  • -keyout private_key_enc_pem saves the secret key (private key)
    encrypts in the data with the name private_key.pem. Please take care of this key because neither you are allowed to lose the key nor may the key fall into the wrong hands.

  • -out csr.pem saves the new certificate application PKCS#10 in the new data csr.pem as PEM format.

  • subj "/C=DE/O=Uni…" gives the Distinguished Name for the server. You can give a second OU (organisational unit) as well, e.g. for institutions within a department. FQDN-Hostname is the complete server domain name.

    To top

    DFN online application server certificate

    For the online application you need the previously generated data csr.pem with the PKCS#10 certificate application in PEM format and a web browser. Please ensure that the DFN-PKI root certificates are imported into the web browser.

    These root certificates are also accessible via the web interface; CA-certificates root certificate or DFN-PCA-certificate.

    You should not be allowed to receive a certificate warning, when you call up the application form.

    Now call up the page Einstiegsseite der UniKassel-CA in your web browser.

    Einstiegsseite Uni Kassel CA

    To top

    Applying

    There you click on “Zertifikate” and then on “Serverzertifikat”.

    Formular Serverzertifikat beantragen

    To top

    First of all you need to choose the previously created .pem data.

    First of all you need to choose the previously created .pem data. For that you click on “Browse…” and choose the respective file. For web server you choose the profile web server.The user information should be filled out with the applicant´s data. The certificate will be sent to the email address of the applicant later on. This email address must be already valid on the application date.

    Select a PIN and write it down for later use. Accept the publication and if necessary the certificate. Read the certification policy for accepting. You can read the policy under web interface -> Policies-> DFN-PKI-Policy.

    If your entries are correct, click on “Next”. Now you can check your provided data and close the procedure with a confirmation.

    Print this form and fill out the data fields. For the participant declaration you need the serial number of this online application.

    Participant declaration

    Fill out the participant declaration. The participant declaration must be signed by yourself and the supervisor of an organizational unit (institution or facility).

    To top

    List of Facilities

     

    • Erziehungswissenschaft, Humanwissenschaften
      Institut für Erziehungswissenschaft
      Medienpädagogik
      Institut für Philosophie
      Institut für Psychoanalyse
      Institut für Ev. Theologie/Religionspädagogik
      Institut für Kath. Theologie
      Musik

    • Sprach- und Literaturwissenschaften
      Institut für Anglistik/Amerikanistik
      Institut für Germanistik
      Institut für Romanistik

    • Sozialwesen
      Institut für Sozialpädagogik und Soziologie der Lebensalter
      Institut Sozialpolitik und Organisation Sozialer Dienste
      Institut für Soziale Therapie, Supervision und Organisationsberatung
      Institut für Psychologie

    • Gesellschaftswissenschaften
      Geschichte
      Politik
      Soziologie
      Geographie

    • Architektur, Stadtplanung, Landschaftsplanung

    • Wirtschaftswissenschaften
      Institut für Betriebswirtschaftslehre
      Institut für Volkswirtschaftslehre
      Institut für Berufsbildung
      Institut für Wirtschaftsrecht

    • Ökologische Agrarwissenschaften
      Institut für Nutzpflanzenkunde (INK)
      Institut für soziokulturelle Studien

    • Bauingenieurwesen
      Institut für Baustatik und Baudynamik (IBSD)
      Institut für Bauwirtschaft (IBW)
      Institut für Geotechnik und Geohydralik (IGG)
      Institut für Konstruktiven Ingenieurbau (IKI)
      Institut für Verkehrswesen (IVW)
      Institut für Wasser, Abfall, Umwelt (IWAU)

    • Maschinenbau
      Institut für Mechanik
      Institut für Mess- und Automatisierungstechnik
      Institut für Werkstofftechnik
      Institut für Maschinenelemente und Konstruktionstechnik
      Institut für Produktionstechnik und Logistik
      Institut für Thermische Energietechnik
      Institut für Arbeitswissenschaft

    • Elektrotechnik / Informatik
      Institut für Elektrische Energietechnik (IEE)
      Institut für Periphere Mikroelektronik (IPM)

    • Mathematik und Naturwissenschaften
      Institut für Mathematik
      Institut für Biologie
      Institut für Chemie
      Institut für Physik

    • KHS Kunsthochschule Kassel
      Visuelle Kommunikation
      Bildende Kunst, Kunstpädagogik
      Produkt Design
      Kunstwissenschaft

    • Internationales Zentrum für Hochschulforschung Kassel (INCHER-Kassel)

    • WZ für Umweltsystemforschung (CESR)

    • Center for Interdisciplinary Nanostructure Science and Technology (CINSaT)

    • Forschungszentrum für Informationstechnik-Gestaltung (ITeG)

    • IAG Frauen- und Geschlechterforschung

    • IAG Grundschulpädagogik

    • IAG Kulturforschung

    • ZLB Zentrum für Lehrerbildung

    To top

    Other Facilities

     

    • Bibliothek

    • IT-Servicezentrum (ITS)

    • Internationales Studienzentrum
      Sprachenzentrum
      Studienkolleg für ausländische Studierende

    • Studentenwerk Kassel
      Psychsoziale Beratungsstelle

    • UniKasselTransfer
      Forschungsreferat
      OST-WEST-Wissenschaftszentrum
      Patentinformationszentrum (PIZ)
      Technologietransfer
      GINo Gesellschaft für Innovation Nordhessen mbH

    • Uniwerkstätten

    • Zentrale Universitätsverwaltung
      Referat E (Entwicklungsplanung von Forschung und Lehre)
      Justiziariat
      Abt. IR - Interne Revision
      Abt. II - Studium und Lehre
      Abt. III - Personalabteilung
      Abt. IV - Haushalts- und Finanzabteilung
      Abt. V - Bau, Technik, Liegenschaften
      Abt. VII - Kommunikaton und Internationales

    • Servicecenter Lehre (SCL)

    To top

    Identification at the registration authority

    The applicant arranges an appointment for identification purposes at the registration authority and brings following documents with her/him:

    • valid ID card
    • the printed, filled out and signed online application
    • the filled out and signed participant declaration.

    Receiving the certificate

    After identification and verification of the documents, the registration authority will sign the online application digitally. Hereafter, you should receive your certificate after a couple of hours via email to the address you left in the online application.

    How your server (e.g. web server) should be configured to use the certificate, depends on the specific software. It is especially important that the server provides the entire certificate chain as well, e.g. it does not only provide its own certificate, but also the certificate of superior certificate agencies. In our case the certificate of the DFN-Verein PCA Classic – G01 (root certificate) and the certificate of the subordinate certificate agencies UniKassel-CA.