Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:services:it_security:pki:start [2019/08/27 18:54]
thinder [Select a Registration Authority (RA)]
en:services:it_security:pki:start [2020/04/30 15:03] (current)
thinder [Apply for a certificate]
Line 4: Line 4:
  
  
-Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to <support@gwdg.deor use the GWDG [[https://​www.gwdg.de/​support|support form]].+Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de?​subject=Question(s) about certificate(s)&​body=Ladies and gentlemen,​%0A%0AI have the following question(s) about certificate(s):​%0A%0A|support@gwdg.de]] ​or use the GWDG [[https://​www.gwdg.de/​support|support form]].
  
 ===== Application for personal email certificate ===== ===== Application for personal email certificate =====
Line 11: Line 11:
  
  
 +<WRAP center round info 60%>
 +Please refer to the browser recommendations for the two ways to apply for a certificate
  
 +<wrap em>​__**Since 2 September 2019**__</​wrap>​ the [[en:​services:​it_security:​pki:​start#​the_new_way|new application route]] will be the primary way to apply for user certificates. The [[en:​services:​it_security:​pki:​start#​the_old_way|current route]] will then only be reserved for Microsoft Internet Explorer.
 +</​WRAP>​
 ==== Select a  Registration Authority (RA) ==== ==== Select a  Registration Authority (RA) ====
  
Line 24: Line 28:
 </​WRAP>​ </​WRAP>​
  
-===== The old way ===== 
-<WRAP center round info 60%> 
-<wrap em>​**Please use only Mozilla Firefox!**</​wrap>​ 
  
-All other browsers do not support the generation ​of private keys((An unsupported or obsolete function!))!+===== The new way ===== 
 +==== Apply for a certificate ==== 
 + 
 +<WRAP center round tip 60%> 
 +Personal identification in times of the Corona pandemic can now be carried out with the [[en:​services:​it_security:​pki:​videoident| video identification]].
 </​WRAP>​ </​WRAP>​
  
 +<WRAP center round info 60%>
 +For Microsoft Internet Explorer, see [[en:​services:​it_security:​pki:​start#​the_old_way| the old way]].
 +</​WRAP>​
  
-Three steps to the application:​ +According ​to the following, as described in [[https://www.gwdg.de/​documents/​20182/​27257/​GN_8-9-2019_www.pdf#​page=4|GN 08-09|19]] (currently only in German) in the paragraph "Der neue Beantragungsweg",​ the path to the new application ​pages is described, this will change from Fig. 2 there as described ​in the following.
-{{:​de:​services:​it_security:​pki:gwdgcade1.png?200|1 step: Fill out form}} {{:​de:​services:​it_security:​pki:​gwdgcade2.png?200|2 step: confirm details}} {{:de:​services:​it_security:​pki:​gwdgcade3.png?200|3 step: Download ​the application in PDF format}}+
  
-At the end of the applicationplease download ​the generated PDF file.+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_01_en.png?​800|There are now two larger buttons. To applyclick the "Apply for a new user certificate"​ button.}}
  
-Please ​the printed ​certificate ​request under slices by hand.+There are now two larger buttons. To apply, click the "Apply for a new user certificate" button.
  
-With the application signed by you please go to the relevant RA operator in your institution.+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_02_en.png?​800|Enter the required data for the user certificate and click on the "​Next"​ button.}}
  
-Hold your valid identity card for personal identification.+Enter the required data for the user certificate and click on the "​Next"​ button.
  
-After the carried out personal identification and verification ​of the certificate request ​the competent RA operator will issue your certificate ​request.+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_03_en.png?​800|A summary ​of the information is displayed. If everything is fine, click on the "​Save ​request ​file" button.}}
  
-You will receive an email to your personal email certificate with your certificate in the annex.+A summary of the information is displayed. If everything is fine, click on the "Save request file" button.
  
-<WRAP center round info 60%> +{{:en:​services:​it_security:​pki:​email_1.1_nachtrag_04_en.png?800|A password for the application file must be entered and confirmed by clicking on "​Ok"​.}}
-For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the [[https://www.gwdg.de/​documents/​20182/​27257/​GN_Special_01-2014_www.pdf/​69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%> +
-(currently only in German) +
-</​WRAP>​+
  
-</​WRAP>​+A password for the application file must be entered and confirmed by clicking on "​Ok"​.
  
-===== The new way =====+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_05_en.png?​800|The application file is stored in the download directory of the web browser used.}}
  
-<WRAP center round info 60%> +The application file is stored in the download directory ​of the web browser used.
-Starting at the beginning ​of September 2019. Starting with Firefox from version 69 and other modern ​web browsers such as Safari, Chrome, Opera</​WRAP>​+
  
-<WRAP center round todo 60%> +With the application you signed, please go to the responsible RA operator in your institute.
-Support for mobile devices based on iOS and Android is available. +
-</​WRAP>​+
  
 +For personal identification,​ please have your valid ID.
  
-<WRAP center round important 60%> +After personal identification ​and verification of the certificate application, ​the responsible RA operator will issue your certificate ​application.
-Attention! Currently, Microsoft Internet Explorer ​and Microsoft Edge still have trouble compatibility with the new application ​path!  +
-</​WRAP>​+
  
-<WRAP center round todo 60%> +You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.
-**Instructions are in the build-up phase** +
-</​WRAP>​+
  
-The home page of the browser memory is displayed. Please click on the link "​Certificates"​+==== Certificate pick up ====
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_wird_angezeigt.png?​direct&​200 |}}+After clicking on the URL in the mail or by copying and pasting into the address line of the browser with which the certificate was requested, click on "Pick up a requested certificate"​.
  
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_01_en.png?​800|}}
  
-If a Browser Soeicher has not yet been created for this web browsera password must be entered to protect ​the browser'​s memory. Clicking on the "​Next"​ button displays the existing Broweser memory.+To specify or select the application fileclick Browse and select ​the associated application file for the certificate to be obtained.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_wird_erstellt.png?200 |}} +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_06.png?800|}}
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_schutz_mit_kennwort.png?200 |}}+
  
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_07.png?​800|}}
  
-Once the browser memory has been created, the browser memory ​is displayed ​after entering the previously assigned password and clicking on the "​Next" ​button.+The information in the application file is displayed. If everything fits click "​Next"​.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_oeffnen.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_08.png?800|}}
  
-In the browser storeissued certificates can be managed or new ones can be applied for.+If an attempt is made to retrieve ​the certificate and the confirmation email has not yet been receivedyou will receive the following error message.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_zertsverw-oder-neuen_antrag_stellen.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_09.png?800|}}
  
-With the link "Apply for a new certificate"​ a new user certificate is requested and submitted with the click on the "Next" ​button.+If the pickup worked, the data of the currently collected ​certificate is displayed in an overview. Clicking ​on "Save Certificate File" ​initiates the completion of the pickup.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_csr_eingereichen.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_10.png?800|}}
  
-By clicking on "View Certificate Request"​ open the PDF file in a PDF programprint it out and sign it by hand.+To secure ​the certificate ​file to be saved, it is now imperative to enter a certificate password. Clicking OK completes the process.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_csr_eingereicht.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_11.png?800|}}
  
-With the application you signed, please go to the responsible RA operator in your institute.+At the end of the collection, an information page with important information that should be considered will be displayed.
  
-For personal identification,​ please have your valid ID.+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_12.png?​800|}}
  
-After personal identification ​and verification ​of the certificate ​application, the responsible RA operator will issue your certificate application.+<WRAP center round info 60%> 
 +For further steps and detailed instructions on the installation ​of the certificate ​in various email clientsread the information in the following documents:​ 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_12-2019_www.pdf#​page=9|GWDG Nachrichten 12|19]] 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_1-2-2020_www.pdf#​page=14|GWDG Nachrichten 1-2|20]] 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_3-2020_www.pdf#​page=6|GWDG Nachrichten 3|20]]
  
-You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.+<WRAP center round important 60%> 
 +(currently only in German) 
 +</​WRAP>​ 
 + 
 +</​WRAP>​ 
 + 
 + 
 +===== The old way =====
  
 <WRAP center round info 60%> <WRAP center round info 60%>
-For further steps and detailed instructions on the installation ​of the certificate in various email clients, read the information in the [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_Special_01-2014_www.pdf/​69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<​WRAP center round important 60%> +All other browsers no longer support ​the generation ​of private keys((An unsupported or obsolete function!))!
-(currently only in German)+
 </​WRAP>​ </​WRAP>​
  
 +
 +Three steps to the application:​
 +
 +1.
 +{{:​de:​services:​it_security:​pki:​gwdgcade1.png?​800|1 step: Fill out form}} ​
 +
 +2.
 +{{:​de:​services:​it_security:​pki:​gwdgcade2.png?​800|2 step: confirm details}} ​
 +
 +3.
 +{{:​de:​services:​it_security:​pki:​gwdgcade3.png?​800|3 step: Download the application in PDF format}}
 +
 +At the end of the application,​ please download the generated PDF file.
 +
 +Please the printed certificate request under slices by hand.
 +
 +With the application signed by you please go to the relevant RA operator in your institution.
 +
 +Hold your valid identity card for personal identification.
 +
 +After the carried out personal identification and verification of the certificate request the competent RA operator will issue your certificate request.
 +
 +You will receive an email to your personal email certificate with your certificate in the annex.
 +
 +<WRAP center round info 60%>
 +For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following documents:
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_12-2019_www.pdf#​page=9|GWDG Nachrichten 12|19]]
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_1-2-2020_www.pdf#​page=14|GWDG Nachrichten 1-2|20]]
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_3-2020_www.pdf#​page=6|GWDG Nachrichten 3|20]]
 +
 +<WRAP center round important 60%>
 +(currently only in German)
 </​WRAP>​ </​WRAP>​
  
 +</​WRAP>​
  
 ===== Apply for server certificate ===== ===== Apply for server certificate =====
Line 132: Line 174:
 <code powershell createcsr.bat>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​ <code powershell createcsr.bat>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​
  
-Then you proceed ​application from step 2 of the section ​[[#application_for_personal_email_certificate|application for personal email certificate]], choose ​of a suitably competent RA. +After that, proceed ​with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "​upload for Servers"​.
 ===== Apply for server certificate with OpenSSL.cnf ===== ===== Apply for server certificate with OpenSSL.cnf =====
  
Line 151: Line 192:
 <code powershell createcsr.bat>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​ <code powershell createcsr.bat>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​
  
-Then you proceed ​application from step 2 of the section ​[[#application_for_personal_email_certificate|application for personal email certificate]], choose ​of a suitably competent RA. +After that, proceed ​with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "​upload for Servers"​.
 ===== Sample files for OpenSSL.cnf ===== ===== Sample files for OpenSSL.cnf =====