Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:services:it_security:pki:start [2019/08/30 08:52]
thinder [The old way]
en:services:it_security:pki:start [2021/04/20 11:43] (current)
thinder [Detailed description of e-mail encryption with X.509 certificates]
Line 4: Line 4:
  
  
-Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to <support@gwdg.deor use the GWDG [[https://​www.gwdg.de/​support|support form]].+Below you will find instructions on how to request certificates with popular web browsers as well as instructions for the use of this certificates. The instructions for certification shall relate to e-mail (S / MIME) certificates. However, the requirement of other types of certificates is designed largely similar. If you have suggestions for further instructions or additional questions, you can send an e-mail to [[support@gwdg.de?​subject=Question(s) about certificate(s)&​body=Ladies and gentlemen,​%0A%0AI have the following question(s) about certificate(s):​%0A%0A|support@gwdg.de]] ​or use the GWDG [[https://​www.gwdg.de/​support|support form]].
  
 ===== Application for personal email certificate ===== ===== Application for personal email certificate =====
Line 10: Line 10:
 Request your personal email certificate using a Web browser. Request your personal email certificate using a Web browser.
  
- 
-<WRAP center round info 60%> 
-Please refer to the browser recommendations for the two ways to apply for a certificate 
- 
-<wrap em>​__**From 2 September 2019**__</​wrap>​ the [[en:​services:​it_security:​pki:​start#​the_new_way|new application route]] will be the primary way to apply for user certificates. The [[en:​services:​it_security:​pki:​start#​the_old_way|current route]] will then only be reserved for Microsoft Internet Explorer. 
-</​WRAP>​ 
 ==== Select a  Registration Authority (RA) ==== ==== Select a  Registration Authority (RA) ====
  
-<WRAP left round box 30%>+<WRAP left round box 22%>
 |  **[[en:​services:​it_security:​pki:​mpgras|MPG staff]]** ​ | |  **[[en:​services:​it_security:​pki:​mpgras|MPG staff]]** ​ |
 </​WRAP>​ </​WRAP>​
-<WRAP left round box 30%>+<WRAP left round box 22%>
 |  **[[en:​services:​it_security:​pki:​uniras|Uni Göttingen staff]]** ​ | |  **[[en:​services:​it_security:​pki:​uniras|Uni Göttingen staff]]** ​ |
 </​WRAP>​ </​WRAP>​
-<WRAP left round box 30%>+<WRAP left round box 22%>
 |  **[[en:​services:​it_security:​pki:​gwdgras|GWDG staff]]** ​ | |  **[[en:​services:​it_security:​pki:​gwdgras|GWDG staff]]** ​ |
 </​WRAP>​ </​WRAP>​
  
-===== The old way ===== 
  
-<WRAP center round important 60%> 
-<wrap em>From 2 September 2019, the old way will be available to Microsoft Internet Explorer for reasons of compatibility 
-</​wrap>​ 
-</​WRAP>​ 
  
-<WRAP center round info 60%> + 
-All other browsers do not support the generation ​of private keys((An unsupported or obsolete function!))!+===== The new way ===== 
 +==== Apply for a certificate ==== 
 + 
 +<WRAP center round tip 60%> 
 +Personal identification in times of the Corona pandemic can now be carried out with the [[en:​services:​it_security:​pki:​videoident| video identification]].
 </​WRAP>​ </​WRAP>​
  
 +According to the following, as described in [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_4-5-2020_www.pdf#​page=26|GN 04-05|20]] (currently only in German) in the paragraph "Der neue Beantragungsweg",​ the path to the new application pages is described, this will change from Fig. 2 there as described in the following.
  
-Three steps to the application:​ +{{:en:​services:​it_security:​pki:​email_1.1_nachtrag_01_en.png?800|There are now two larger buttonsTo apply, click the "Apply for a new user certificate"​ button.}}
-{{:de:​services:​it_security:​pki:​gwdgcade1.png?200|1 step: Fill out form}} {{:​de:​services:​it_security:​pki:​gwdgcade2.png?200|2 step: confirm details}} {{:​de:​services:​it_security:​pki:​gwdgcade3.png?200|3 step: Download ​the application in PDF format}}+
  
-At the end of the applicationplease download ​the generated PDF file.+There are now two larger buttons. To applyclick the "Apply for a new user certificate"​ button.
  
-Please ​the printed ​certificate ​request under slices by hand.+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_02_en.png?​800|Enter ​the required data for the user certificate ​and click on the "​Next"​ button.}}
  
-With the application signed by you please go to the relevant RA operator in your institution.+Enter the required data for the user certificate and click on the "​Next"​ button.
  
-Hold your valid identity card for personal identification.+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_03_en.png?​800|A summary of the information is displayed. If everything is fine, click on the "Save request file" button.}}
  
-After the carried out personal identification and verification ​of the certificate request ​the competent RA operator will issue your certificate ​request.+A summary ​of the information is displayed. If everything is fine, click on the "​Save ​request ​file" button.
  
-You will receive an email to your personal email certificate with your certificate in the annex.+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_04_en.png?​800|A password for the application file must be entered and confirmed by clicking on "​Ok"​.}}
  
-<WRAP center round info 60%> +A password for the application file must be entered ​and confirmed by clicking ​on "​Ok"​.
-For further steps and detailed instructions ​on the installation of the certificate in various email clients, read the information in the [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_Special_01-2014_www.pdf/​69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%> +
-(currently only in German) +
-</​WRAP>​+
  
-</​WRAP>​+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_05_en.png?​800|The application file is stored in the download directory of the web browser used.}}
  
-===== The new way =====+The application file is stored in the download directory of the web browser used.
  
-<WRAP center round important 60%> +With the application you signedplease go to the responsible RA operator in your institute.
-From 2 September 2019the new way to apply for user certificates for the modern web browsers from Firefox version 69 as well as Chrome, Opera and Safari will be available</​WRAP>​+
  
-<WRAP center round info 60%> +For personal identification,​ please have your valid ID.
-Mobile web browsers on Android and iOS devices are supported. +
-</​WRAP>​+
  
-<WRAP center round info 60%> +After personal identification and verification of the certificate application, the responsible RA operator will issue your certificate application.
-For Microsoft Internet Explorersee [[en:​services:​it_security:​pki:​start#​the_old_way| ​the old way]]. +
-</​WRAP>​+
  
-<WRAP center round important 60%> +You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.
-<wrap em>​Attention! because microsoft edge causes a number of difficulties this web browser is not supported at the start time +
-</​wrap></​WRAP>​+
  
-<WRAP center round todo 60%> +==== Certificate pick up ====
-**Instructions are in the build-up phase** +
-</​WRAP>​+
  
-The home page of the browser ​memory is displayed. Please ​click on the link "Certificates"+After clicking on the URL in the mail or by copying and pasting into the address line of the browser ​with which the certificate was requested, ​click on "Pick up a requested certificate".
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_wird_angezeigt.png?direct&​200 ​|}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_01_en.png?800|}}
  
-<WRAP center round info 60%> +To specify or select the application file, click Browse ​and select the associated application file for the certificate to be obtained. The browsers store this file in the **Downloads** folder of the user.
-A private key is generated locally ​and stored ​in your browser storage as website data+
  
-<WRAP center round important 60%> +{{:de:​services:​it_security:​pki:​email_1.1_nachtrag_06.png?800|}}
-<wrap em>​ImportantIf you delete the site data (also known as "​Chronicle"​ or "​History"​) before the certificate is issued, the data is irretrievably lost and the process must be repeatedIn another browser, the data is also not available. +
-</​wrap></​WRAP>​+
  
-</​WRAP>​+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_07.png?​800|}}
  
 +The information in the application file is displayed. If everything fits click "​Next"​.
  
-If a Browser Soeicher has not yet been created for this web browser, a password must be entered to protect the browser'​s memoryClicking on the "​Next"​ button displays the existing Broweser memory.+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_08.png?800|}}
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_wird_erstellt.png?200 |}} +If an attempt is made to retrieve the certificate and the confirmation email has not yet been received, you will receive the following error message.
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_schutz_mit_kennwort.png?​200 |}}+
  
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_09.png?​800|}}
  
-Once the browser memory has been created, the browser memory ​is displayed ​after entering the previously assigned password and clicking ​on the "Next" ​button.+If the pickup worked, the data of the currently collected certificate ​is displayed ​in an overview. Clicking ​on "Save Certificate File" ​initiates the completion of the pickup.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_oeffnen.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_10.png?800|}}
  
-In the browser store, issued certificates can be managed or new ones can be applied for.+To secure ​the certificate file to be saved, it is now imperative to enter a certificate password. Clicking OK completes the process.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_zertsverw-oder-neuen_antrag_stellen.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_11.png?800|}}
  
-With the link "Apply for a new certificate"​ a new user certificate is requested and submitted ​with the click on the "​Next"​ button.+At the end of the collection, an information page with important information that should be considered will be displayed.
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_csr_eingereichen.png?200 |}}+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_12.png?800|}}
  
-By clicking on "View Certificate Request"​ open the PDF file in a PDF program, print it out and sign it by hand. 
  
-{{ :​de:​services:​it_security:​pki:​dfn-pki-neu_csr_eingereicht.png?​200 |}}+===== The old way ===== 
 +<WRAP center round important 60%> 
 +Microsoft Internet Explorer will no longer be supported for certificate application as of **__March 1, 2021__**!
  
-With the application you signed, please go to the responsible RA operator in your institute.+Please use the description for [[en:​services:​it_security:​pki:​start#​the_new_way|the new way for certificate application]] 
 +</​WRAP>​
  
-For personal identification,​ please have your valid ID. 
  
-After personal identification and verification of the certificate application,​ the responsible RA operator will issue your certificate application. 
  
-You will receive an e-mail with your certificate ​attached after your personal ​e-mail ​certificate has been issued.+===== Detailed description of e-mail ​encryption ​with X.509 certificates ===== 
 +For further steps and detailed instructions on how to install and use the certificate ​in different ​e-mail ​clients, please read the following documents.
  
-<WRAP center round info 60%> +<WRAP center round info 100%> 
-For further steps and detailed instructions on the installation of the certificate ​in various email clients, read the information in the [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_Special_01-2014_www.pdf/69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%>+  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_4-2021_www.pdf#​page=6|GWDG Nachrichten 4|21]] - Weitere Überarbeitung des Beantragungsweges für Nutzerzertifikate ​in der DFN-PKI 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_12-2019_www.pdf#​page=9|GWDG Nachrichten 12|19]] - Teil 1: Beantragung und Sicherung von Zertifikaten 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_1-2-2020_www.pdf#​page=14|GWDG Nachrichten 1-2|20]] ​Teil 2: Installation und Verteilung von Zertifikaten 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_3-2020_www.pdf#​page=6|GWDG Nachrichten 3|20]] - Teil 3: Outlook-E-Mail-Anwendungen 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_7-8-2020_www.pdf#​page=8|GWDG Nachrichten 7-8|20]] - Teil 4: Apple E-Mail-Anwendungen 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_11-2020_www.pdf#​page=12|GWDG Nachrichten 11|20]] - Teil 5: Thunderbird,​ Notes und Mutt 
 +<WRAP center round important 60%>
 (currently only in German) (currently only in German)
 </​WRAP>​ </​WRAP>​
  
 </​WRAP>​ </​WRAP>​
- 
- 
 ===== Apply for server certificate ===== ===== Apply for server certificate =====
  
Line 141: Line 125:
 ==== Unix/OS X ==== ==== Unix/OS X ====
 Simple Bash script... Simple Bash script...
-<code bash createcsr.sh>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​+<code bash createcsr.sh>​openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​
   * Download createscr.sh script.   * Download createscr.sh script.
   * Change flags with <code bash>​chmod 744 createcsr.sh</​code>​   * Change flags with <code bash>​chmod 744 createcsr.sh</​code>​
Line 148: Line 132:
 ==== Windows ==== ==== Windows ====
 Simple PowerShell script... Simple PowerShell script...
-<code powershell createcsr.ps1>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​+<code powershell createcsr.ps1>​openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​
 Simple Batch script... Simple Batch script...
-<code powershell createcsr.bat>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​ +<code powershell createcsr.bat>​openssl req -newkey rsa:4096 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​
- +
-Then you proceed application from step 2 of the section [[#​application_for_personal_email_certificate|application for personal email certificate]],​ choose of a suitably competent RA.+
  
 +After that, proceed with the [[#​select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "​upload for Servers"​.
 ===== Apply for server certificate with OpenSSL.cnf ===== ===== Apply for server certificate with OpenSSL.cnf =====
  
Line 160: Line 143:
 ==== Unix/OS X ==== ==== Unix/OS X ====
 Simple Bash script... Simple Bash script...
-<code bash createcsr.sh>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​+<code bash createcsr.sh>​openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​
   * Download createscr.sh script.   * Download createscr.sh script.
   * Change flags with <code bash>​chmod 744 createcsr.sh</​code>​   * Change flags with <code bash>​chmod 744 createcsr.sh</​code>​
Line 167: Line 150:
 ==== Windows ==== ==== Windows ====
 Simple PowerShell script... Simple PowerShell script...
-<code powershell createcsr.ps1>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​+<code powershell createcsr.ps1>​openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​
 Simple Batch script... Simple Batch script...
-<code powershell createcsr.bat>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​ +<code powershell createcsr.bat>​openssl req -config example.cnf -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​
- +
-Then you proceed application from step 2 of the section [[#​application_for_personal_email_certificate|application for personal email certificate]],​ choose of a suitably competent RA.+
  
 +After that, proceed with the [[#​select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "​upload for Servers"​.
 ===== Sample files for OpenSSL.cnf ===== ===== Sample files for OpenSSL.cnf =====
  
  
 ==== MPG ==== ==== MPG ====
-Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-giettingen ​| gwdg}.de** with a valid.+Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen ​| gwdg}.de** with a valid.
 <code bash example.cnf>​ <code bash example.cnf>​
 HOME            = . HOME            = .
Line 184: Line 166:
 ####################################################################​ ####################################################################​
 [ req ] [ req ]
-default_bits ​       = 2048+default_bits ​       = 4096
 default_keyfile ​    = example.key default_keyfile ​    = example.key
 distinguished_name ​ = server_distinguished_name distinguished_name ​ = server_distinguished_name
Line 204: Line 186:
 organizationName_default ​   = Max-Planck-Gesellschaft organizationName_default ​   = Max-Planck-Gesellschaft
  
 +# The name of your CA subordinate RA can be found here 
 +# https://​info.gwdg.de/​docs/​doku.php?​id=de:​services:​it_security:​pki:​mpgras
 +# and thus, replace the value PKI
 organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute) organizationalUnitName = Organizational Unit Name (eg, your Max-Planck-Institute)
 organizationalUnitName_default = PKI organizationalUnitName_default = PKI
  
-commonName ​         = Common Name (e.g. server FQDN or YOUR name)+commonName ​         = Common Name (eg, server FQDN or YOUR name)
 commonName_default ​     = example.mpg.de commonName_default ​     = example.mpg.de
  
Line 229: Line 214:
 </​code>​ </​code>​
 ==== Uni Göttingen ==== ==== Uni Göttingen ====
-Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-giettingen ​| gwdg}.de** with a valid.+Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen ​| gwdg}.de** with a valid.
 <code bash example.cnf>​ <code bash example.cnf>​
 HOME            = . HOME            = .
Line 236: Line 221:
 ####################################################################​ ####################################################################​
 [ req ] [ req ]
-default_bits ​       = 2048+default_bits ​       = 4096
 default_keyfile ​    = example.key default_keyfile ​    = example.key
 distinguished_name ​ = server_distinguished_name distinguished_name ​ = server_distinguished_name
Line 255: Line 240:
 organizationName ​           = Organization Name (eg, company) organizationName ​           = Organization Name (eg, company)
 organizationName_default ​   = Georg-August-Universitaet Goettingen organizationName_default ​   = Georg-August-Universitaet Goettingen
 +
 +# Please remove the comment character for the next two lines. The name of the CA child RA 
 +# You can see https://​info.gwdg.de/​docs/​doku.php?​id=de:​services:​it_security:​pki:​uniras here and thus replace the value PKI.
 +#​organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
 +#​organizationalUnitName_default = PKI
  
 commonName ​         = Common Name (e.g. server FQDN or YOUR name) commonName ​         = Common Name (e.g. server FQDN or YOUR name)
Line 278: Line 268:
 </​code>​ </​code>​
 ==== GWDG ==== ==== GWDG ====
-Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-giettingen ​| gwdg}.de** with a valid.+Please replace the word **example** with the server name and the email address **noreplay@{MPG | uni-goettingen ​| gwdg}.de** with a valid.
 <code bash example.cnf>​ <code bash example.cnf>​
 HOME            = . HOME            = .
Line 285: Line 275:
 ####################################################################​ ####################################################################​
 [ req ] [ req ]
-default_bits ​       = 2048+default_bits ​       = 4096
 default_keyfile ​    = example.key default_keyfile ​    = example.key
 distinguished_name ​ = server_distinguished_name distinguished_name ​ = server_distinguished_name
Line 304: Line 294:
 organizationName ​           = Organization Name (eg, company) organizationName ​           = Organization Name (eg, company)
 organizationName_default ​   = Gesellschaft fuer wissenschaftliche Datenverarbeitung organizationName_default ​   = Gesellschaft fuer wissenschaftliche Datenverarbeitung
 +
 +# Please remove the comment character for the next two lines. The name of the CA child RA 
 +# You can https://​info.gwdg.de/​docs/​doku.php?​id=de:​services:​it_security:​pki:​gwdgras here and replace the value PKI.
 +#​organizationalUnitName = Organizational Unit Name (eg, your Institute name in the Uni-Goettingen-CA)
 +#​organizationalUnitName_default = PKI
  
 commonName ​         = Common Name (e.g. server FQDN or YOUR name) commonName ​         = Common Name (e.g. server FQDN or YOUR name)
Line 335: Line 330:
 ==== Creating a PKCS # 12 file from private and public keys ==== ==== Creating a PKCS # 12 file from private and public keys ====
 <code bash>​openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem</​code>​ <code bash>​openssl pkcs12 -export -out example.pfx -inkey example.key -in example.pem</​code>​
 +
 +===== Detailed description of the possible uses of X.509 certificates =====
 +
 +<WRAP center round info 100%>
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_9-10-2020_www.pdf#​page=10|GWDG Nachrichten 09-10|20]] - Teil 1: Serverzertifikate
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_12-2020_www.pdf#​page=10|GWDG Nachrichten 12|20]] - Teil 2: Ein Blick hinter die Kulissen eines Teilnehmerservices
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_3-2021_www.pdf#​page=8|GWDG Nachrichten 03|21]] - Teil 3: Das Programm GUIRA für den Teilnehmerservice
 +
 +<WRAP center round important 60%>
 +(currently only in German)
 +</​WRAP>​
 +
 +</​WRAP>​