Certificates | DFN-PKI
Why are certificates needed?
When you transmit confidential information such as account data, transaction numbers or passwords to a web server or mail server, the connection to the server must be encrypted so that malicious third parties cannot eavesdrop on the information. The server must also "identify itself" and prove that it really is the server it claims to be. It is said that the server must authenticate itself.
Applying for user certificates
User certificates can be requested for the certified sending and encryption of e-mails. A step-by-step guide can be found here (https://www.uni-potsdam.de/de/mailup/allgemeines/sichere-e-mails).
Applying for server certificates
Certificates for servers in the institutions and facilities of the University of Potsdam can be applied for via the Cert-Manager of Sectigo.
The following steps must be completed for the setup:
1. Creating a certificate request
OpenSSL can be used as a tool under Linux ( https://www.openssl.org/ ) and Windows ( http://slproweb.com/products/Win32OpenSSL.html ). Under Linux, for example, the generation can be started (for the web server openup.uni-potsdam.de) with the following command:
openssl req -newkey rsa:4096 -nodes -keyout openup.uni-potsdam.de-privatekey.pem -out openup.uni-potsdam.de-csr.pem -batch -subj "/C=DE/ST=Brandenburg/L=Potsdam/O=Universitaet Potsdam/CN=openup.uni-potsdam.de" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:openup.uni-potsdam.de,DNS:international-courses.uni-potsdam.de"))
After executing this command, a private key "openup.uni-potsdam.de-privatekey.pem" and the certificate request "openup.uni-potsdam.de-csr.pem" are generated. The private key must be stored securely on the machine and should only be accessible to a small circle of responsible administrators. It will be needed later in combination with the certificate for encrypting the connections.
Please also note how in the above example another domain (so-called Subject Alternative Name, in the example "international-courses.uni-potsdam.de") was added for the system. You can also use this option to specify additional domain names that will later be covered by the certificate. If you want to note only one domain, you can also use a shorter command:
openssl req -newkey rsa:4096 -nodes -keyout openup.uni-potsdam.de-privatekey.pem -out openup.uni-potsdam.de-csr.pem -batch -subj "/C=DE/ST=Brandenburg/L=Potsdam/O=Universitaet Potsdam/CN=openup.uni-potsdam.de"
2. Upload certificate request
The certificate request (CSR) created in step 1 can be uploaded via the CA's web interface ( https://cert-manager.com/customer/DFN/ssl/uni-potsdam ).
To do this, please log in with your UP-Account credentials. To do so, please click on "Your Institution". Then select "University of Potsdam" and enter your access data in the subsequent forms, as you are used to doing with our other systems.
Afterwards you are in "your" personal area at Sectigo, where you are allowed to manage your certificates.
If you click on "Enroll Certificate" you can create a new certificate.
In the form that follows, please upload the CSR in the field named exactly as such or paste the content of the CSR via the clipboard.
Under "Subject Alternative Names" (see above) you can enter additional domain names, if desired.
Furthermore, you have the option to enter additional e-mail recipients under "External Requesters". These recipients will receive - besides you - notifications in connection with the certificate to be created.
It is recommended that you activate the "Auto Renew" switch and select a time period that is adequate for you (e.g. 14 days). In this case, you will receive a timely notice before the certificate expires and is automatically renewed.
With a mouse click on "Submit" you send the request. We will then be informed and check your certificate request promptly. If everything is in order, we will confirm the request and you will be informed about it.
3. The valid certificate
After successful identification and approval of the request, you will receive an e-mail containing links to various formats of your certificate. You will also find a link to the root certificates in this message. Receiving the email may take a few hours, normally only a few minutes. You can now mount and use the certificate on your machine. For Apache web servers, for example, the format "Certificate (w/ issuer after), PEM encoded" would be suitable.
4. We are here for you
If you encounter any difficulties with the above procedure, please send us your CSR or the domain names for which you need a certificate by mail ( zim-serviceuuni-potsdampde with the subject: "Question DFN-PKI certificates"). Of course, you can also use this form to ask general questions about the topic that are burning under your nails. We will be happy to help you.