How-to Create a Server Certificate
The following how-to explains how to create a server certificate.
Please note that the person requesting the certificate must be registered as an IT representative, an EDP representative, a certificate representative or an employee at the URZ.
1a) Generate a ECC key pair using tools provided by your server operating system. Our CA supports ECDSA-256 and ECDSA-384.
On Linux, use the following for ECDSA-384:
openssl ecparam -out server.key -name secp384r1 -genkey
chmod og-rwx server.key
1b) If you need compatibility with older systems, you can create an RSA key pair instead. Our CA supports RSA-2048 and RSA-4096.
On Linux, use the following for RSA-4096:
dd if=/dev/urandom of=randfile bs=4096 count=1
openssl genrsa -out server.key -rand randfile 4096
chmod og-rwx server.key
We issue certificates for all FQDNs whose root zone is located on the university's DNS. You can determine this under Linux with nslookup -type=ns zu-testende-domain.de. If the DNS servers of belwue and the university are displayed here, we can issue certificates for you. Certificates with IP addresses in the CN or the SAN cannot be requested.
2a) To create the CSR, use the following command:
openssl req -new -key server.key -out server.csr
For this, you will need the following information:
- Country C=DE
- State ST=Baden-Wuerttemberg
- Organization O=Ruprecht-Karls-Universitaet Heidelberg
- "Common Name" CN= (full qualified server name as in the name server)
2b) If SAN is to be used, you can download our Config file. Subsequently, both the CN and all SANs must be adjusted accordingly. The CSR itself is created with:
openssl req -new -key server.key -out server.csr -config server.conf
In both cases, SHA-256, SHA-386 and SHA-512 are supported by our CA. The commands above use the OpenSSL standard SHA-256.
3) Copy the Certificate Sign Request "server.csr" on your local system and access the university page to request server certificates "CertMine" from within the university network or using our VPN.
4) On this page, you log in with your ID, your password and a one-time password (OTP) from a token of our MFA platform. Only IT-, EDV- andZertifikatsbeauftragte and employees of the URZ are permitted to log in.
If you use KeePass as a token, you can configure the auto-type process with “{USERNAME}{TAB}{PASSWORD}{TAB}{TOTP}{ENTER}”.
5) Use the web form to indicate the CSR to be submitted. Then click the "Absenden" button.
6) On the following page, carefully double-check that all the information is correct. If the information is correct, you can send your request for further processing by clicking the "Einreichen" button.
7) This request will then appear at the top of the list of your requests. You will then have the option of applying for further certificates or logging out. As soon as the certificate attains the status “Verfügbar”, you can download it by clicking on one of the three download arrows located on the far right of the corresponding certificate line. Here you will have the options in the following order: "Certificate (pem)", "Certificate + Chain (pem)" and "Certificate + Chain (pkcs7)".
8) After the request has been submitted, the URZ will check it and normally authorize it by the next working day. If there are any questions, we will contact you. As soon as we have approved the application, the CA will issue the certificate, and we will inform you that the application process is complete with links for downloading the certificates.
9) The certificate file and any certification chains must then be copied to the server and entered in the web server.