- This document is about server certificates for units hosted at the LRZ (web hosting or server hosting). You cannot obtain certificates from the LRZ for servers that are neither owned by the LRZ (or the BAdW) nor hosted at the LRZ.
- In 2022 the certificate issuing instance migrated from DFN-PKI to GÉANT/Sectigo. The DFN-PKI doesn't issue certificates any more. The migration changed the certificate chain and the root certificate. There are several possibilities for the root, see https://doku.tid.dfn.de/de:dfnpki:tcs_ca_certs
- Some processes change as well. In particular, a signed PDF is no longer necessary. Everything is now paperless.
- Existing certificates from the DFN-PKI remain valid until they expire.
Please note: Unlike in the DFN-PKI environment, it is not possible under GÉANT/Sectigo to add additional SANs (Subject Alternative Names) to an issued certificate. If you need additional SANs in your certificate, you must order a new one.
3. Domain Validation
Please note: Domain validations are only valid for 1 year and must then be renewed.
Additional notice: For a number of domains, such as *.lrz.de, *.badw.de and *.mwn.de, we take care of the validation ourselves. If your server is located in one of these namespaces, then you don't need to do anything.
For both the DFN-PKI and the new GÉANT/Sectigo environment, we (i.e. the LRZ, but also any other certificate issuer) can only issue certificates for names or domains if we have permission to do so. Technically, the domain must be validated.
Here again there are two cases:
3.1. Case 1: Your domain is hosted at the LRZ
Open a ticket with your SIM ID via https://servicedesk.lrz.de/en/ql/create/36 (via Selfservice, not Simple Submit):
and inform us about the desired domain name. For domains hosted by us, we can then do the validation ourselves.
3.2. Case 2: Your domain ist hosted elsewhere
Here you need to consider the following:
If you have configured a CAA record for your domain, it must be extended for Sectigo in advance (here at the example of the domain xxx-domain.de):
Leave previous entries as they are.
If you have not configured a CAA record, you do not need to do anything further in this regard:
For the validation, you also need a mailbox hostmaster@<Domain>, to which the validation mail is sent.
Then open a ticket with your SIM account via https://servicedesk.lrz.de/en/ql/create/36 and tell us the desired domain name. We then enter the domain for validation at Sectigo and send the validation mail to the above address. If this address does not exist, validation is not possible, at least not easily. If it is not possible for you to set up the mailbox hostmaster@<domain>, please mention this in the ticket. We will then consider if there could be an alternative possibility.
Please note that during the transition period it may be necessary to validate your domain in both the old and new environments.
4. Creating of Private Key and CSR
4.1.1. Only 1 host name
If the certificate contains only one host name (Common Name - CN), the following command is sufficient:
- Version with private key without password, generated on the corresponding host (here, for simplicity, it is assumed that the computer name, i.e. the hostname, should also be in the certificate. If not, just write the desired name instead of `hostname`):
- Version with password-protected private key generated on the corresponding host:
The names of the output files are of course freely selectable. xxx must be replaced by the belonging domain name. If the key length of 4096 causes problems, also 2048 is possible.
4.1.2. More than 1 host name
A certificate can contain more or less any number of CNs. These can be aliases of one server or names of several different servers, which then all get the same certificate (and the same private key). Unfortunately, the above openssl command only works with a single CN. If you want more than one name in the certificate, you have to assemble it as follows:
Write a text file (called zert.conf in the example) with the following content (for the LRZ CA):
Key and CSR are being created with the following command:
The names of the output files (here key.pem and csr.pem) are, as usual, freely selectable.
The details of the following steps depend on the Windows version and look more or less like this:
- Run the IIS console (e.g. by entering iis into the search field):
Select the site → Serverzertifikate:
Click on Zertifikatanforderung erstellen:
Enter the following values into the belonging fields:
Gemeinsamer Name (CN): name of the computer, e.g. test123.lrz.de
Organisation (O): Bayerische Akademie der Wissenschaften
Organisationseinheit (OU): leave this blank
Ort (L): Garching b. Muenchen
Bundesland/Kanton (ST): Bayern
Land (C): DE
4.3. How to bind an existing Certificate to a Webserver
The certificate must be in .p12 format which means it contains the private key.
Please note: Such certificates are normally encrypted, You need to know the password.
To prvide the webserver (IIS) with the certificate, open the IIS console. select the Site → Bindungen:
In the following dialog select the https entry and edit it:
Here you can select the certificate:
In the list you can select one of the certificates which have been installed into the Windows certificate store under Webhosting → Certificates.
5. The Download Mail
The download mail looks something like this and offers the certificate in 7 variants for download. For the standard Apache, the second one from above is probably the right one:
6. How to revoke a Géant/Sectigo certificate
It is recommended to revoke certificates which are taken out of operation before the end of their life.
6.1. First alternative
Open an IET incident for the LRZ-PKI team.
6.2. Second alternative
If you have certificate and private key, you can revoke the certificate yourself with this service:
Enter the necessary data into the belonging fields:
Infos from TUM: http://www.it.tum.de/zertifikate/
Infos from LMU: https://www.serviceportal.verwaltung.uni-muenchen.de/services/it/infrastrukturdienste/ausstellung_zertifikate/index.html#goto404268 (LMU-Login erforderlich.)
Last update: Feb. 19, 2024