Server-Zertifikate (außer GRID)


1. Introduction

  • This document is about server certificates for units hosted at the LRZ (web hosting or server hosting). You cannot obtain certificates from the LRZ for servers that are neither owned by the LRZ (or the BAdW) nor hosted at the LRZ.
  • In 2022 the certificate issuing instance migrated from DFN-PKI to GÉANT/Sectigo. The DFN-PKI doesn't issue certificates any more. The migration changed the certificate chain and the root certificate. There are several possibilities for the root, see https://doku.tid.dfn.de/de:dfnpki:tcs_ca_certs
  • Some processes change as well. In particular, a signed PDF is no longer necessary. Everything is now paperless.
  • Existing certificates from the DFN-PKI remain valid until they expire.

2. Overview

2.1. Web-Hosting

  1. If you use a custom name for your web server, you must ensure that this name or domain is validated. See below Domain Validation.
  2. If the domain is validated, you don't need to do anything else. Your web server will get its certificate from us automatically.


2.2. Server-Hosting

Since you, as the server administrator, are responsible for the certificate, you have a choice of where to obtain it from. Essentially, you have the following options:

  1. From your own institution (for TUM: https://www.it.tum.de/it/zertifikate/ or Serverzertifikat beantragen, for LMU: pki@lmu.de)
  2. From the LRZ (this is especially necessary if the server name ends with srv.mwn.de or mhn.de, because nobody else but the LRZ can issue certificates for these domains)
  3. From the free market like Let's Encrypt

In case 2, the following applies:

  • In case you use a custom name for your web server, you must ensure that this name or domain is validated. See below Domain validation.
  • Once the domain is validated, create a private key and the request (see below Generate private key and CSR).
  • Then open a ticket ( https://servicedesk.lrz.de/ql/create/43 ) with your SIM account, requesting a certificate by specifying the desired name, and attach the request. (Don't attach the private key! The private key must be kept secret.) We also need a contact e-mail address, preferably a collective or group address, so that e-mails regarding the certificate still reach someone even if you may have left your institution in the meantime.
  • You will then receive a mail from Sectigo (see below), with which you can download your certificate in different formats (different variants of .pem, .cer and .p12).

Please note: Unlike in the DFN-PKI environment, it is not possible under GÉANT/Sectigo to add additional SANs (Subject Alternative Names) to an issued certificate. If you need additional SANs in your certificate, you must order a new one.

3. Domain Validation

Please note: Domain validations are only valid for 1 year and must then be renewed.

Additional notice: For a number of domains, such as *.lrz.de, *.badw.de and *.mwn.de, we take care of the validation ourselves. If your server is located in one of these namespaces, then you don't need to do anything.


For both the DFN-PKI and the new GÉANT/Sectigo environment, we (i.e. the LRZ, but also any other certificate issuer) can only issue certificates for names or domains if we have permission to do so. Technically, the domain must be validated.

Here again there are two cases:

3.1. Case 1: Your domain is hosted at the LRZ

Open a ticket with your SIM ID via https://servicedesk.lrz.de/en/ql/create/36 (via Selfservice, not Simple Submit):

and inform us about the desired domain name. For domains hosted by us, we can then do the validation ourselves.

3.2. Case 2: Your domain ist hosted elsewhere

Here you need to consider the following:

If you have configured a CAA record for your domain, it must be extended for Sectigo in advance (here at the example of the domain xxx-domain.de):

xxx-domain.de.       IN    CAA    0 issue "sectigo.com"

Leave previous entries as they are.

If you have not configured a CAA record, you do not need to do anything further in this regard:

For the validation, you also need a mailbox hostmaster@<Domain>, to which the validation mail is sent.

Then open a ticket with your SIM account via https://servicedesk.lrz.de/en/ql/create/36 and tell us the desired domain name. We then enter the domain for validation at Sectigo and send the validation mail to the above address. If this address does not exist, validation is not possible, at least not easily. If it is not possible for you to set up the mailbox hostmaster@<domain>, please mention this in the ticket. We will then consider if there could be an alternative possibility.


Please note that during the transition period it may be necessary to validate your domain in both the old and new environments.


4. Creating of Private Key and CSR

4.1. LINUX

4.1.1. Only 1 host name

If the certificate contains only one host name (Common Name - CN), the following command is sufficient:

  • Version with private key without password, generated on the corresponding host (here, for simplicity, it is assumed that the computer name, i.e. the hostname, should also be in the certificate. If not, just write the desired name instead of `hostname`):
openssl req -nodes -newkey rsa:4096 -out `hostname`-request.pem -keyout `hostname`-sec-key-ohnepass.pem -subj "/CN=`hostname`.xxx/O=Bayerische Akademie der Wissenschaften/L=Garching b. Muenchen/ST=Bayern/C=DE"


  • Version with password-protected private key generated on the corresponding host:
openssl req -newkey rsa:4096 -out `hostname`-request.pem -keyout `hostname`-sec-key.pem -subj "/CN=`hostname`.xxx/O=Bayerische Akademie der Wissenschaften/L=Garching b. Muenchen/ST=Bayern/C=DE"


The names of the output files are of course freely selectable. xxx must be replaced by the belonging domain name. If the key length of 4096 causes problems, also 2048 is possible.

4.1.2. More than 1 host name

A certificate can contain more or less any number of CNs. These can be aliases of one server or names of several different servers, which then all get the same certificate (and the same private key). Unfortunately, the above openssl command only works with a single CN. If you want more than one name in the certificate, you have to assemble it as follows:

Write a text file (called zert.conf in the example) with the following content (for the LRZ CA):

prompt = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
 countryName = DE
 stateOrProvinceName = Bayern
 localityName = Garching b. Muenchen
 organizationName = Bayerische Akademie der Wissenschaften
 commonName = Name des Servers (FQDN)
 emailAddress = Mail address
[ req_exts ]
subjectAltName = @SAN
[SAN]
DNS.0=DNS-Name like in Common Name
DNS.1=additional DNS name
DNS.2=dditional DNS name …


Key and CSR are being created with the following command:

openssl req -config zert.conf -reqexts req_exts -newkey rsa:2048 -sha256 -keyout key.pem -out csr.pem


The names of the output files (here key.pem and csr.pem) are, as usual, freely selectable.

4.2. WINDOWS

The details of the following steps depend on the Windows version and look more or less like this:


  • Run the IIS console (e.g. by entering iis into the search field):

Select the site → Serverzertifikate:

Click on Zertifikatanforderung erstellen:

Enter the following values into the belonging fields:

Gemeinsamer Name (CN): name of the computer, e.g. test123.lrz.de

Organisation (O): Bayerische Akademie der Wissenschaften

Organisationseinheit (OU): leave this blank

Ort (L): Garching b. Muenchen

Bundesland/Kanton (ST): Bayern

Land (C): DE


4.3. How to bind an existing Certificate to a Webserver

The certificate must be in .p12 format which means it contains the private key.

Please note: Such certificates are normally encrypted, You need to know the password.


To prvide the webserver (IIS) with the certificate, open the IIS console. select the Site → Bindungen:

In the following dialog select the https entry and edit it:

Here you can select the certificate:

In the list you can select one of the certificates which have been installed into the Windows certificate store under Webhosting → Certificates.


5. The Download Mail

The download mail looks something like this and offers the certificate in 7 variants for download. For the standard Apache, the second one from above is probably the right one:



6. How to revoke a Géant/Sectigo certificate

It is recommended to revoke certificates which are taken out of operation before the end of their life.

6.1. First alternative

Open an IET incident for the LRZ-PKI team.

6.2. Second alternative

If you have certificate and private key, you can revoke the certificate yourself with this service:

https://secure.sectigo.com/products/RevocationPortalDetails?action=2a

Enter the necessary data into the belonging fields:

7. Miscellaneous

Infos from TUM: http://www.it.tum.de/zertifikate/ 

Infos from LMU: https://www.serviceportal.verwaltung.uni-muenchen.de/services/it/infrastrukturdienste/ausstellung_zertifikate/index.html#goto404268 (LMU-Login erforderlich.)




Last update: Feb. 19, 2024