Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:services:it_security:pki:start [2019/08/30 16:56]
thinder [Windows]
en:services:it_security:pki:start [2020/04/30 15:03] (current)
thinder [Apply for a certificate]
Line 14: Line 14:
 Please refer to the browser recommendations for the two ways to apply for a certificate Please refer to the browser recommendations for the two ways to apply for a certificate
  
-<wrap em>__**From 2 September 2019**__</​wrap>​ the [[en:​services:​it_security:​pki:​start#​the_new_way|new application route]] will be the primary way to apply for user certificates. The [[en:​services:​it_security:​pki:​start#​the_old_way|current route]] will then only be reserved for Microsoft Internet Explorer.+<wrap em>__**Since 2 September 2019**__</​wrap>​ the [[en:​services:​it_security:​pki:​start#​the_new_way|new application route]] will be the primary way to apply for user certificates. The [[en:​services:​it_security:​pki:​start#​the_old_way|current route]] will then only be reserved for Microsoft Internet Explorer.
 </​WRAP>​ </​WRAP>​
 ==== Select a  Registration Authority (RA) ==== ==== Select a  Registration Authority (RA) ====
Line 30: Line 30:
  
 ===== The new way ===== ===== The new way =====
 +==== Apply for a certificate ====
  
-<WRAP center round important ​60%> +<WRAP center round tip 60%> 
-<wrap em>From 2 September 2019</​wrap>, ​the new way to apply for user certificates for the modern web browsers from Firefox version 69 as well as Chrome, Opera and Safari will be available. </​WRAP>​ +Personal identification in times of the Corona pandemic can now be carried out with the [[en:​services:​it_security:​pki:​videoident| video identification]].
- +
-<WRAP center round info 60%> +
-Mobile web browsers on Android and iOS devices are supported.+
 </​WRAP>​ </​WRAP>​
  
Line 42: Line 40:
 </​WRAP>​ </​WRAP>​
  
-<WRAP center round important 60%> +According to the following, as described in [[https://​www.gwdg.de/documents/20182/​27257/​GN_8-9-2019_www.pdf#​page=4|GN 08-09|19]] (currently only in German) in the paragraph "Der neue Beantragungsweg",​ the path to the new application pages is described, this will change from Fig. 2 there as described in the following.
-<wrap em>​Attention! because Microsoft Edge causes a number of difficulties this web browser is not supported at the start time +
-</wrap><​/WRAP>+
  
-<WRAP center round todo 60%> +{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_01_en.png?​800|There ​are now two larger buttons. To apply, click the "Apply for a new user certificate"​ button.}}
-**Instructions ​are in the build-up phase** +
-</​WRAP>​+
  
-The home page of the browser memory is displayedPlease ​click on the link "Certificates"+There are now two larger buttonsTo apply, ​click the "Apply for a new user certificate" ​button.
  
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_wird_angezeigt-en.png?direct&800 |}}+{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_02_en.png?800|Enter the required data for the user certificate and click on the "​Next"​ button.}}
  
-<WRAP center round info 60%> +Enter the required ​data for the user certificate and click on the "​Next"​ button.
-A private key is generated locally and stored in your browser storage as website ​data. +
  
-<WRAP center round important 60%> +{{:en:​services:​it_security:​pki:​email_1.1_nachtrag_03_en.png?​800|A summary of the information ​is displayed. If everything ​is fineclick on the "Save request file" button.}}
-<wrap em>​ImportantIf you delete the site data (also known as "​Chronicle"​ or "​History"​) before ​the certificate ​is issued, the data is irretrievably lost and the process must be repeated. In another browser, the data is also not available. +
-</​wrap></​WRAP>​+
  
-</​WRAP>​+A summary of the information is displayed. If everything is fine, click on the "Save request file" button.
  
 +{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_04_en.png?​800|A password for the application file must be entered and confirmed by clicking on "​Ok"​.}}
  
-If a Browser Soeicher has not yet been created ​for this web browser, a password ​must be entered ​to protect the browser'​s memory. Clicking ​on the "Submit" ​button displays the existing Broweser memory.+A password ​for the application file must be entered ​and confirmed by clicking ​on "Ok".
  
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_wird_erstellt-en.png?800 |}} +{{:​en:​services:​it_security:​pki:​email_1.1_nachtrag_05_en.png?800|The application file is stored in the download directory of the web browser used.}}
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_schutz_mit_kennwort-en.png?800 |}}+
  
 +The application file is stored in the download directory of the web browser used.
  
-Once the browser memory has been created, the browser memory is displayed after entering the previously assigned password and clicking on the "​Submit"​ button.+With the application you signedplease go to the responsible RA operator in your institute.
  
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_browser_speicher_oeffnen-en.png?800 |}}+For personal identification,​ please have your valid ID.
  
-In the browser storeissued certificates can be managed or new ones can be applied for.+After personal identification and verification of the certificate applicationthe responsible RA operator will issue your certificate application.
  
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_zertsverw-oder-neuen_antrag_stellen-en.png?800 |}}+You will receive an e-mail with your certificate attached after your personal e-mail certificate has been issued.
  
-With the link "Show certificate application"​ a new user certificate is requested and submitted with the click on the "​Submit"​ button.+==== Certificate pick up ====
  
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_csr_eingereichen-en.png?800 |}}+After clicking on the URL in the mail or by copying and pasting into the address line of the browser with which the certificate was requested, click on "Pick up a requested certificate"​.
  
-By clicking on "View Certificate Request"​ open the PDF file in a PDF program, print it out and sign it by hand.+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_01_en.png?​800|}}
  
-{{ :​en:​services:​it_security:​pki:​dfn-pki-neu_csr_eingereicht-en.png?800 |}}+To specify or select the application file, click Browse and select the associated application file for the certificate to be obtained.
  
-With the application you signed, please go to the responsible RA operator in your institute.+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_06.png?​800|}}
  
-For personal identification,​ please have your valid ID.+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_07.png?​800|}}
  
-After personal identification and verification of the certificate application,​ the responsible RA operator will issue your certificate ​application.+The information in the application ​file is displayed. If everything fits click "​Next"​.
  
-You will receive an e-mail with your certificate ​attached after your personal e-mail ​certificate ​has been issued.+{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_08.png?​800|}} 
 + 
 +If an attempt is made to retrieve the certificate and the confirmation email has not yet been received, you will receive ​the following error message. 
 + 
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_09.png?​800|}} 
 + 
 +If the pickup worked, the data of the currently collected certificate is displayed in an overview. Clicking on "Save Certificate File" initiates the completion of the pickup. 
 + 
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_10.png?​800|}} 
 + 
 +To secure the certificate ​file to be saved, it is now imperative to enter a certificate ​password. Clicking OK completes the process. 
 + 
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_11.png?​800|}} 
 + 
 +At the end of the collection, an information page with important information that should be considered will be displayed. 
 + 
 +{{:​de:​services:​it_security:​pki:​email_1.1_nachtrag_12.png?800|}}
  
 <WRAP center round info 60%> <WRAP center round info 60%>
-For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_Special_01-2014_www.pdf/69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%>+For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following documents:​ 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_12-2019_www.pdf#​page=9|GWDG Nachrichten 12|19]] 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/GN_1-2-2020_www.pdf#​page=14|GWDG Nachrichten 1-2|20]] 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_3-2020_www.pdf#​page=6|GWDG Nachrichten 3|20]] 
 + 
 +<WRAP center round important 60%>
 (currently only in German) (currently only in German)
 </​WRAP>​ </​WRAP>​
Line 103: Line 116:
  
 ===== The old way ===== ===== The old way =====
- 
-<WRAP center round important 60%> 
-<wrap em>From 2 September 2019</​wrap>,​ the old way will be available to Microsoft Internet Explorer for reasons of compatibility 
-</​WRAP>​ 
  
 <WRAP center round info 60%> <WRAP center round info 60%>
Line 137: Line 146:
  
 <WRAP center round info 60%> <WRAP center round info 60%>
-For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_Special_01-2014_www.pdf/69ae9e7b-21d6-477f-a89e-e8fcddfba8ce|following document]].<WRAP center round important 60%>+For further steps and detailed instructions on the installation of the certificate in various email clients, read the information in the following documents:​ 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_12-2019_www.pdf#​page=9|GWDG Nachrichten 12|19]] 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/GN_1-2-2020_www.pdf#​page=14|GWDG Nachrichten 1-2|20]] 
 +  - [[https://​www.gwdg.de/​documents/​20182/​27257/​GN_3-2020_www.pdf#​page=6|GWDG Nachrichten 3|20]] 
 + 
 +<WRAP center round important 60%>
 (currently only in German) (currently only in German)
 </​WRAP>​ </​WRAP>​
Line 160: Line 174:
 <code powershell createcsr.bat>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​ <code powershell createcsr.bat>​openssl req -newkey rsa:2048 -sha256 -keyout priv-key.pem -out certreq.pem</​code>​
  
-After that, proceed with the [[#​select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "Upload ​for Servers"​.+After that, proceed with the [[#​select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "upload ​for Servers"​.
 ===== Apply for server certificate with OpenSSL.cnf ===== ===== Apply for server certificate with OpenSSL.cnf =====
  
Line 178: Line 192:
 <code powershell createcsr.bat>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​ <code powershell createcsr.bat>​openssl req -config example.cnf -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example-csr.pem</​code>​
  
-Then you proceed ​application from step 2 of the section ​[[#application_for_personal_email_certificate|application for personal email certificate]], choose ​of a suitably competent RA. +After that, proceed ​with the [[#select_a_registration_authority_ra|Select a Registration Authority (RA)]] and upload the Certificate Signing Request (CSR) file in the offered web form of your institution,​ that you can reach by clicking on "​upload for Servers"​.
 ===== Sample files for OpenSSL.cnf ===== ===== Sample files for OpenSSL.cnf =====