Heidelberg University
University Computing Centre Heidelberg logo

How-to Create a Server Certificate

The following how-to explains how to create a server certificate.

Please note that the person requesting the certificate must be registered as an IT representative, an EDP representative, a certificate representative or an employee at the URZ.

1a) Generate a ECC key pair using tools provided by your server operating system.
On Linux, use:
    openssl ecparam -out server.key -name secp384r1 -genkey
    chmod og-rwx server.key
1b) If you need compatibility with older systems, you can create an RSA key pair instead:
    dd if=/dev/urandom of=randfile bs=4096 count=1
    openssl genrsa -out server.key -rand randfile 4096
    chmod og-rwx server.key

2a) To create the CSR, use the following command:
    openssl req -new -key server.key -out server.csr
For this, you will need the following information:

  • Country C=DE
  • State ST=Baden-Wuerttemberg
  • Organization O=Ruprecht-Karls-Universitaet Heidelberg
  • "Common Name" CN= (full qualified server name as in the name server)

 2b) If SAN is to be used, you can download our Config file. Subsequently, both the CN and all SANs must be adjusted accordingly. The CSR itself is created with:
     openssl req -new -key server.key -out server.csr -config server.conf

3) Copy the Certificate Sign Request "server.csr" on your local system and access the university page to request server certificates "CertMine" from within the university network or using our VPN.

4) On this page, you log in with your ID, your password and a one-time password (OTP) from a token of our MFA platform. Only IT-, EDV- andZertifikatsbeauftragte and employees of the URZ are permitted to log in.

If you use KeePass as a token, you can configure the auto-type process with “{USERNAME}{TAB}{PASSWORD}{TAB}{TOTP}{ENTER}”.

CertMine Login

5) Use the web form to indicate the CSR to be submitted. Then click the "Absenden" button.

Request SSL certificate

6) On the following page, carefully double-check that all the information is correct. If the information is correct, you can send your request for further processing by clicking the "Einreichen" button.

Check CSR

7) This request will then appear at the top of the list of your requests. You will then have the option of applying for further certificates or logging out. As soon as the certificate attains the status “Verfügbar”, you can download it by clicking on one of the three download arrows located on the far right of the corresponding certificate line. Here you will have the options in the following order: "Certificate (pem)", "Certificate + Chain (pem)" and "Certificate + Chain (pkcs7)". 

Certificate Request List

8) After the request has been submitted, the URZ will check it and normally authorize it by the next working day. If there are any questions, we will contact you. As soon as we have approved the application, the CA will issue the certificate, and we will inform you that the application process is complete with links for downloading the certificates.

9) The certificate file and any certification chains must then be copied to the server and entered in the web server.

Deutsch

Contact