1. Introduction

  • This document is about server certificates for units hosted at the LRZ (web hosting or server hosting). You cannot obtain certificates from the LRZ for servers that are neither owned by the LRZ (or the BAdW) nor hosted at the LRZ.
  • In 2022 the certificate issuing instance migrates from DFN-PKI to GÉANT/Sectigo. This will change the certificate chain and the root certificate.
  • Some processes change as well. In particular, a signed PDF is no longer necessary. Everything is now paperless. Existing certificates from the DFN-PKI remain valid until they expire.

2. Overview

2.1. Web-Hosting

  1. If you use a custom name for your web server, you must ensure that this name or domain is validated. See below Domain Validation.
  2. If the domain is validated, you don't need to do anything else. Your web server will get its certificate from us automatically.

2.2. Server-Hosting

Since you, as the server administrator, are responsible for the certificate itself, you have a choice of who to obtain it from. Essentially, you have the following options:

  1. from your own institution (for TUM: ra@zv.tum.de, for LMU: pki@lmu.de)
  2. from the LRZ (this is especially necessary if the server name ends with srv.mwn.de, because nobody else but the LRZ can issue certificates for this domain)
  3. from the free market like Let's Encrypt

In case 2, the following applies:

  • Wenn die Domain validiert ist, erstellen Sie einen privaten Schlüssel und den Request (siehe unten Privaten Schlüssel und CSR erzeugen).
  • Once the domain is validated, create a private key and the request (see below Generate private key and CSR).
  • Then open a ticket ( https://servicedesk.lrz.de/ql/create/36 ) with your SIM account, requesting a certificate by specifying the desired name, and attach the request. We also need a contact e-mail address, preferably a collective or group address, so that e-mails regarding the certificate still reach someone even if you may have left your institution in the meantime.
  • You will then receive a mail from Sectigo (see below), with which you can download your certificate in different formats (different variants of .pem, .cer and .p12).

Please note: Unlike in the DFN-PKI environment, it is not possible under GÉANT/Sectigo to add additional SANs (Subject Alternative Names) to an issued certificate. If you need additional SANs in your certificate, you must order a new one.

3. Domain Validation

Please note: Domain validations are only valid for 1 year and must then be renewed.

For both the DFN-PKI and the new GÉANT/Sectigo environment, we (i.e. the LRZ, but also any other certificate issuer) can only issue certificates for names or domains if we have permission to do so. Technically, the domain must be validated.

Here again there are two cases:

3.1. Case 1: Your domain is hosted at the LRZ

Open a ticket with your SIM ID via https://servicedesk.lrz.de/en/ql/create/36 (via Selfservice, not Simple Submit):

aqnd inform us about the desired domain name. For domains hosted by us, we can then do the validation ourselves.

3.2. Case 2: Your domain ist hosted elsewhere

Here you need to consider the following:

If you have configured a CAA record for your domain, it must be extended for Sectigo in advance (here at the example of the domain xxx-domain.de):

xxx-domain.de.       IN    CAA    0 issue "sectigo.com"

Leave previous entries as they are.

If you have not configured a CAA record, you do not need to do anything further in this regard:

For the validation, you also need a mailbox hostmaster@<Domain>, to which the validation mail is sent.

Then open a ticket with your SIM account via https://servicedesk.lrz.de/en/ql/create/36 and tell us the desired domain name. We then enter the domain for validation at Sectigo and send the validation mail to the above address. If this address does not exist, validation is not possible, at least not easily. If it is not possible for you to set up the mailbox hostmaster@<domain>, please mention this in the ticket. We will then consider if there could be an alternative possibility.

Please note that during the transition period it may be necessary to validate your domain in both the old and new environments.

4. Creating of Private Key and CSR

4.1. Only 1 host name

If the certificate contains only one host name (Common Name - CN), the following command is sufficient:

  • Version with private key without password, generated on the corresponding host (here, for simplicity, it is assumed that the computer name, i.e. the hostname, should also be in the certificate. If not, just write the desired name instead of `hostname`):

openssl req -nodes -newkey rsa:2048 -out `hostname`-request.pem -keyout `hostname`-sec-key-ohnepass.pem -subj "/CN=`hostname`.xxx/O=Bayerische Akademie der Wissenschaften/L=Garching b. Muenchen/ST=Bayern/C=DE"

  • Version with password-protected private key generated on the corresponding host:

openssl req -newkey rsa:2048 -out `hostname`-request.pem -keyout `hostname`-sec-key.pem -subj "/CN=`hostname`.xxx/O=Bayerische Akademie der Wissenschaften/L=Garching b. Muenchen/ST=Bayern/C=DE"

The names of the output files are of course freely selectable. xxx must be replaced by the belonging domain name.

4.2. More than 1 host name

A certificate can contain more or less any number of CNs. These can be aliases of one server or names of several different servers, which then all get the same certificate (and the same private key). Unfortunately, the above openssl command only works with a single CN. If you want more than one name in the certificate, you have to assemble it as follows:

Write a text file (called zert.conf in the example) with the following content (for the LRZ CA):

prompt = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
 countryName = DE
 stateOrProvinceName = Bayern
 localityName = Garching b. Muenchen
 organizationName = Bayerische Akademie der Wissenschaften
 commonName = Name des Servers (bei Nutzerzertifikaten Name des Zertifikatnehmers)
 emailAddress = E-Mail-Adresse des Zertifikatnehmers
[ req_exts ]
subjectAltName = @SAN
DNS.0=DNS-Name wie im Common Name
DNS.1=weiterer DNS-Name
DNS.2=weiterer DNS-Name …

Key and CSR are being created with the following command:

openssl req -config zert.conf -reqexts req_exts -newkey rsa:2048 -sha256 -keyout key.pem -out csr.pem

The names of the output files are, as usual, freely selectable.

5. The Download Mail

The download mail looks something like this and offers the certificate in 7 variants for download. For the standard Apache, the second one from above is probably the right one:

6. Miscellaneous

Infos from TUM: http://www.it.tum.de/zertifikate/ und https://www.it.tum.de/faq/it-dienste/zertifikate/

Infos from LMU: https://www.serviceportal.verwaltung.uni-muenchen.de/services/it/infrastrukturdienste/ausstellung_zertifikate/index.html#goto404268 (LMU-Login erforderlich.)

Last update: June 2. 2022

  • No labels