- This document is about server certificates for units hosted at the LRZ (web hosting or server hosting). You cannot obtain certificates from the LRZ for servers that are neither owned by the LRZ (or the BAdW) nor hosted at the LRZ.
- In 2022 the certificate issuing instance migrates from DFN-PKI to GÉANT/Sectigo. This will change the certificate chain and the root certificate.
- Some processes change as well. In particular, a signed PDF is no longer necessary. Everything is now paperless. Existing certificates from the DFN-PKI remain valid until they expire.
Please note: Unlike in the DFN-PKI environment, it is not possible under GÉANT/Sectigo to add additional SANs (Subject Alternative Names) to an issued certificate. If you need additional SANs in your certificate, you must order a new one.
3. Domain Validation
Please note: Domain validations are only valid for 1 year and must then be renewed.
For both the DFN-PKI and the new GÉANT/Sectigo environment, we (i.e. the LRZ, but also any other certificate issuer) can only issue certificates for names or domains if we have permission to do so. Technically, the domain must be validated.
Here again there are two cases:
3.1. Case 1: Your domain is hosted at the LRZ
Open a ticket with your SIM ID via https://servicedesk.lrz.de/en/ql/create/36 (via Selfservice, not Simple Submit):
aqnd inform us about the desired domain name. For domains hosted by us, we can then do the validation ourselves.
3.2. Case 2: Your domain ist hosted elsewhere
Here you need to consider the following:
If you have configured a CAA record for your domain, it must be extended for Sectigo in advance (here at the example of the domain xxx-domain.de):
Leave previous entries as they are.
If you have not configured a CAA record, you do not need to do anything further in this regard:
For the validation, you also need a mailbox hostmaster@<Domain>, to which the validation mail is sent.
Then open a ticket with your SIM account via https://servicedesk.lrz.de/en/ql/create/36 and tell us the desired domain name. We then enter the domain for validation at Sectigo and send the validation mail to the above address. If this address does not exist, validation is not possible, at least not easily. If it is not possible for you to set up the mailbox hostmaster@<domain>, please mention this in the ticket. We will then consider if there could be an alternative possibility.
Please note that during the transition period it may be necessary to validate your domain in both the old and new environments.
4. Creating of Private Key and CSR
4.1. Only 1 host name
If the certificate contains only one host name (Common Name - CN), the following command is sufficient:
- Version with private key without password, generated on the corresponding host (here, for simplicity, it is assumed that the computer name, i.e. the hostname, should also be in the certificate. If not, just write the desired name instead of `hostname`):
openssl req -nodes -newkey rsa:2048 -out `hostname`-request.pem -keyout `hostname`-sec-key-ohnepass.pem -subj "/CN=`hostname`.xxx/O=Bayerische Akademie der Wissenschaften/L=Garching b. Muenchen/ST=Bayern/C=DE"
- Version with password-protected private key generated on the corresponding host:
openssl req -newkey rsa:2048 -out `hostname`-request.pem -keyout `hostname`-sec-key.pem -subj "/CN=`hostname`.xxx/O=Bayerische Akademie der Wissenschaften/L=Garching b. Muenchen/ST=Bayern/C=DE"
The names of the output files are of course freely selectable. xxx must be replaced by the belonging domain name.
4.2. More than 1 host name
A certificate can contain more or less any number of CNs. These can be aliases of one server or names of several different servers, which then all get the same certificate (and the same private key). Unfortunately, the above openssl command only works with a single CN. If you want more than one name in the certificate, you have to assemble it as follows:
Write a text file (called zert.conf in the example) with the following content (for the LRZ CA):
Key and CSR are being created with the following command:
openssl req -config zert.conf -reqexts req_exts -newkey rsa:2048 -sha256 -keyout key.pem -out csr.pem
The names of the output files are, as usual, freely selectable.
5. The Download Mail
The download mail looks something like this and offers the certificate in 7 variants for download. For the standard Apache, the second one from above is probably the right one:
Infos from LMU: https://www.serviceportal.verwaltung.uni-muenchen.de/services/it/infrastrukturdienste/ausstellung_zertifikate/index.html#goto404268 (LMU-Login erforderlich.)
Last update: June 2. 2022