Certificates for encrypted connections to decentralized servers
In special cases where the use of the centrally provided server systems of the University is not expedient and qualified personnel can ensure the secure operation of a decentralized server, it is possible to apply for a server certificate from DFN's “Global” security level. This certificate enables you to establish encrypted connections (https) to the decentralized server and is recognized by all major browsers and email clients.
The certificates are provided by DFN-Verein, and the URZ serves as the local contact and registration point for the certificate issuing process.
- IT representatives
- University employees
- Enables the acquisition of certificates for secure, encrypted connections to a remotely located server
Access and requirements
1. Generate a Certificate Request with tools provided by your server operating system. This generates an asymmetric key pair. To do this, you will need the following information:
- Country C=DE
- Organization O=Ruprecht-Karls-Universitaet Heidelberg
- Organizational Unit OU=(institute)
- City/Location L=Heidelberg
- State ST=Baden-Wuerttemberg
- “Common Name” CN= (full qualified server name as in the name server)
- Email address of the server admin (no longer applicable as of 1.12.14)
- Key length >= 2048 bit
In Linux, you will use the following commands:
openssl genrsa -out ssl.key/server.key -rand randfile 2048
chmod og-rwx ssl.key/server.key
openssl req -new -key ssl.key/server.key -out ssl.csr/server.csr
2. Save the Certificate Request as a local file.
3. Open the designated web page on the DFN-Verein (German Research Network) website (see link) and then select the item "Serverzertifikat" (Server certificate). On this page, fill out the application form, which includes, specifically, additional name information and consent forms, and it requires you to upload the saved request file. Then print out the application.
4. In addition, you will need to obtain accreditation as a server admin from an administrative liaison (permanent IT representative or executive director) by filling out the linked PDF form.
5. Now take the printed application and accreditation form and go to the registration office (RA) at the URZ IT Service. After the employees there have verified that all the information is correct (in particular, that the “fingerprint” matches), the application will be approved by the registration office. A short time later, you will receive the issued form from the certification authority (CA) of the DFN-Verein per email.
6. Finally, the certificate must be entered into the server environment, a process that depends on the system you are using. If the server does not send the entire certificate chain, it must be provided by the operator (see link).