Table of Contents

PKI

Public Key Infrastructure

Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to support@gwdg.de or use the GWDG support form.

Application for personal email certificate

Request your personal email certificate using a Web browser.

Please refer to the browser recommendations for the two ways to apply for a certificate

Since 2 September 2019 the new application route will be the primary way to apply for user certificates. The current route will then only be reserved for Microsoft Internet Explorer.

Select a Registration Authority (RA)

MPG staff
Uni Göttingen staff
GWDG staff

The new way

Since 2 September 2019, the new way to apply for user certificates will be available for the popular web browsers Chrome/Chromium, Firefox, Opera and Safari is available.

With the new Microsoft Edge available at the URL https://www.microsoft.com/en-us/edge, it is now possible to Certificates, such as “Neuer Beantragungsweg für Nutzerzertifikate in der DFN-PKI”, as described in GWDG News Issues 8-9|2019 , can be viewed directly at this URL https://www.gwdg.de/documents/20182/27257/GN_8-9-2019_www.pdf#page=4, and 12|2019 article “E-Mail-Verschlüsselung mit X.509-Zertifikaten – Teil 1: Beantragung und Sicherung von Zertifikaten” to be applied for directly at the URL https://www.gwdg.de/documents/20182/27257/GN_12-2019_www.pdf#page=9.

(currently only in German)

Mobile web browsers on Android and iOS devices are supported.

For Microsoft Internet Explorer, see the old way.

The home page of the browser memory is displayed. Please click on the link “Certificates”

A private key is generated locally and stored in your browser storage as website data.

Important: If you delete the site data (also known as “Chronicle” or “History”) before the certificate is issued, the data is irretrievably lost and the process must be repeated. In another browser, the data is also not available.

Important: Do not apply for certificates in an InPrivate window in Private Browsing mode. The generated browser memory is lost after closing the InPrivate window!!!

If a Browser Soeicher has not yet been created for this web browser, a password must be entered to protect the browser's memory. Clicking on the “Submit” button displays the existing Broweser memory.

Once the browser memory has been created, the browser memory is displayed after entering the previously assigned password and clicking on the “Submit” button.

In the browser store, issued certificates can be managed or new ones can be applied for.

With the link “Show certificate application” a new user certificate is requested and submitted with the click on the “Submit” button.

By clicking on “View Certificate Request” open the PDF file in a PDF program, print it out and sign it by hand.

With the application you signed, please go to the responsible RA operator in your institute.

For personal identification, please have your valid ID.

After personal identification and verification of the certificate application, the responsible RA operator will issue your certificate application.

You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.

For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following document.

(currently only in German)

The old way

Since 2 September 2019, the old way is only available to Microsoft Internet Explorer for reasons of compatibility.

All other browsers no longer support the generation of private keys1)!

Three steps to the application:

1. 1 step: Fill out form

2. 2 step: confirm details

3. 3 step: Download the application in PDF format

At the end of the application, please download the generated PDF file.

Please the printed certificate request under slices by hand.

With the application signed by you please go to the relevant RA operator in your institution.

Hold your valid identity card for personal identification.

After the carried out personal identification and verification of the certificate request the competent RA operator will issue your certificate request.

You will receive an email to your personal email certificate with your certificate in the annex.

For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following document.

(currently only in German)

Apply for server certificate

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem
  • Download createscr.sh script.
  • Change flags with 
    chmod 744 createcsr.sh
  • Run script as follows 
    ./createcsr.sh

    .

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem

Simple Batch script…

createcsr.bat
openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem

After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.

Apply for server certificate with OpenSSL.cnf

Call OpenSSL with the following Parameters

Unix/OS X

Simple Bash script…

createcsr.sh
openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem
  • Download createscr.sh script.
  • Change flags with 
    chmod 744 createcsr.sh
  • Run script as follows 
    ./createcsr.sh

    .

Windows

Simple PowerShell script…

createcsr.ps1
openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem

Simple Batch script…

createcsr.bat
openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem

After that, proceed with the Select a Registration Authority (RA) and upload the Certificate Signing Request (CSR) file in the offered web form of your institution, that you can reach by clicking on “upload for Servers”.

Sample files for OpenSSL.cnf

MPG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-giettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Max-Planck-Gesellschaft
 
organizationalUnitName	= Organizational Unit Name (eg, your Max-Planck-Institute)
organizationalUnitName_default	= PKI
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.mpg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@mpg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.mpg.de
DNS.2       = example-san-2.mpg.de

Uni Göttingen

Please replace the word example with the server name and the email address noreplay@{MPG | uni-giettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Niedersachsen
 
localityName            = Locality Name (eg, city)
localityName_default        = Goettingen
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Georg-August-Universitaet Goettingen
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.uni-goettingen.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@uni-goettingen.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.uni-goettingen.de
DNS.2       = example-san-2.uni-goettingen.de

GWDG

Please replace the word example with the server name and the email address noreplay@{MPG | uni-giettingen | gwdg}.de with a valid.

example.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = example.key
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only
 
####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = DE
 
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NIEDERSACHSEN
 
localityName            = Locality Name (eg, city)
localityName_default        = GOETTINGEN
 
organizationName            = Organization Name (eg, company)
organizationName_default    = Gesellschaft fuer wissenschaftliche Datenverarbeitung
 
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = example.gwdg.de
 
emailAddress            = Email Address
emailAddress_default        = noreply@gwdg.de
 
####################################################################
[ server_req_extensions ]
 
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"
 
####################################################################
[ alternate_names ]
 
DNS.1       = example-san-1.gwdg.de
DNS.2       = example-san-2.gwdg.de

Important OpenSSL commands

A collection of important OpenSSL commands for server certificates

Password removal from private key

openssl rsa -in example.key -out example.np.key

Creating a PKCS # 12 file from private and public keys

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem
1) An unsupported or obsolete function!