PKI

Public Key Infrastructure

Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to support@gwdg.de.

Application for personal email certificate

Request your personal email certificate using a Web browser.

Please use only Mozilla Firefox!

All other browsers do not support the generation of private keys1)!

Select a Registration Authority (RA)

Three steps to the application: 1 step: Fill out form 2 step: confirm details 3 step: Download the application in PDF format

At the end of the application, please download the generated PDF file.

Please the printed certificate request under slices by hand.

With the application signed by you please go to the relevant RA operator in your institution.

Hold your valid identity card for personal identification.

After the carried out personal identification and verification of the certificate request the competent RA operator will issue your certificate request.

You will receive an email to your personal email certificate with your certificate in the annex.

For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following document.

(currently only in German)

Apply for server certificate

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem
  • Download createscr.sh script.
  • Change flags with
    chmod 744 createcsr.sh
  • Run script as follows
    ./createcsr.sh

    .

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem

Simple Batch script…

createcsr.bat
openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem

Then you proceed application from step 2 of the section application for personal email certificate, choose of a suitably competent RA.

Apply for server certificate with OpenSSL.cnf

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem
  • Download createscr.sh script.
  • Change flags with
    chmod 744 createcsr.sh
  • Run script as follows
    ./createcsr.sh

    .

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem

Simple Batch script…

createcsr.bat
openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem

Then you proceed application from step 2 of the section application for personal email certificate, choose of a suitably competent RA.

Sample files for OpenSSL.cnf

MPG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-giettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Max-Planck-Gesellschaft
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.mpg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@mpg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.mpg.de
DNS.2       = example-san-2.mpg.de

Uni Göttingen

Please replace the word example with the server name and the email address noreplay@{MPG | uni-giettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Georg-August-Universitaet Goettingen
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.uni-goettingen.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@uni-goettingen.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.uni-goettingen.de
DNS.2       = example-san-2.uni-goettingen.de

GWDG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-giettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NIEDERSACHSEN
 
localityName            = Locality Name (eg, city)
localityName_default        = GOETTINGEN
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Gesellschaft fuer wissenschaftliche Datenverarbeitung
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.gwdg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@gwdg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.gwdg.de
DNS.2       = example-san-2.gwdg.de
1) An unsupported or obsolete function!