Heidelberg University
University Computing Centre Heidelberg logo

How-To Group functions in CertMine

Contents

Group functions in CertMine

Groups in CertMine serve to simplify certificates and their management. With groups, you can:

  • Manage certificates together
  • Simply hand over certificates, e.g., when personnel changes occur
  • Have certificates approved automatically
  • Receive info emails about certificates at a group address
  • Automate certificate issuance via ACME

Your AD account has a base group that is derived from its OU in AD. Each base group is assigned corresponding auto-approver domains. Certificates for these and the underlying domains can be issued directly by the URZ without human approval. All subgroups inherit the domains of the associated base group.

 

Open group management

To open group management, please proceed as follows:

  1. Click on your account in the menu bar.
  2. Click on “Manage groups” in the menu that opens.
CertMine: Gruppen verwalten

Create groups

In group management, the following steps must be performed to create a subgroup of an existing group:

  1. In the “Create subgroup” section, select the parent group.
  2. Enter the group name. It may consist of letters, numbers, and hyphens.
  3. Optionally, an email address for the group can be specified to which all emails regarding the group's certificates will be sent in addition to the requester.
  4. Clicking on “Create group” will create the group immediately.

The full name of a new subgroup consists of the name of the parent group followed by a period and the name of the subgroup. So if the parent group is “test.it” and the group name is “loadbalancer,” the full group name is “test.it.loadbalancer.”

CertMine: Untergruppe erstellen

Switch active group and open group page

The active group determines which certificates are visible and for which group new certificates are requested.

  1. Click on your own account in the menu.
  2. Then select the group from the list and click on it.
CertMine: Eine Gruppe aktivieren

Manage a group

Open the group page of a group as described above.

  1. In the first field, you can customize the group name.
  2. In the second field, you can customize the group's email address.
  3. Under “Users,” you can select which accounts from the corresponding base group should be members of this group.
  4. Once you have made all the necessary adjustments, please click on “Customize group.”

Adjustments to base groups are not possible.

CertMine: Gruppen anpassen

Automatic approval

On the group page, under “Autoapprover” on the right, you will see the domain suffixes that can be approved automatically without our team having to review them. However, wildcard certificates always require approval.

Automatic certificate issuance with ACME

ACME is the acronym for Automatic Certificate Management Environment, a protocol for automatically managing server certificates. CertMine offers ACME as an interface to ensure that local servers always have up-to-date certificates. All certificates that can be automatically approved in your group can also be obtained via ACME. This means that wildcard certificates cannot be requested via ACME.

To ensure the assignment of ACME accounts and CertMine groups, we use External Account Binding (EAB). This involves creating an ACME account for a group in CertMine, which is then used to assign all certificates requested via this account to the respective CertMine group and manage them as usual.

Set up ACME account

On the respective group page, please click on the “Create new account” button on the right-hand side (see above) to generate a key.

Note: Ensure that the entire process remains confidential, i.e., that it is carried out on a secure device and that no unauthorized persons are present and no AI tools such as Copilot Vision or Recall are active.

  1. Please save the Key ID (KID) and HMAC key immediately in encrypted form, e.g., in a secure password safe or an Ansible vault.
  2. Enter the domain names that are valid for this ACME account. In the first input field, the prefix can contain letters, numbers, the period (“.”), the hyphen (“-”), and a single asterisk (“*”) as a placeholder for any valid character.
  3. Select the suffix of the valid domain name from the list in the right-hand input field.
  4. Enter an optional note for this account, e.g., describing the use of the account.
  5. Read the instructions carefully and then click the box to the right of “Confirm instructions.”
  6. Activate the account by clicking on “Activate account.”

The account is then ready for immediate use and certificates can be requested via it.

CertMine: ACME-Account anlegen

Apply for a certificate via ACME

The exact procedure for requesting server certificates via ACME depends heavily on the operating system used, the server software, and your management tools. We recommend that you refer to the manufacturer's documentation. To verify the server, ACME performs an HTTP challenge, whereby a challenge token is provided on the server via HTTP, which CertMine reads out as part of ACME.

This results in the following preconditions:

  • The ACME client must be on the university network and have access to CertMine.
  • The ACME client must be accessible via CertMine on port 80 and be able to provide the challenge token there.

The following general procedure is necessary during setup:

  1. Ensure that the prerequisites are met.
  2. Install an ACME client such as certbot on your system.
  3. Enter the address of the ACME server:

    https://certmine.urz.uni-heidelberg.de/acme/


    With Certbot, this is done using the command line option:
    --server=

    https://certmine.urz.uni-heidelberg.de/acme/

  4. Enter the KID and HMAC key in the configuration.
    With certbot, this is done using the command line options:
    --eab-kid=<KID des Accounts> und --eab-hmac-key=<HMAC-Key des Accounts>.
  5. Now run your ACME client as usual and set it up as a cron job.

ACME without http challenge

If you want to set up ACME for a system that cannot be accessed from CertMine, please create an ACME account anyway. Then use the link on the right-hand side to request that the HTTP challenge be deactivated.

We only approve ACME accounts that are limited to a specific domain name and therefore do not contain an “*”.

Please note that deactivating the challenge poses a significant security risk, as any system with access to KID and HMAC keys can now request a certificate without further verification. For this reason, we only allow this in justified exceptional cases. If technically possible, it usually makes more sense to enable connections from CertMine (129.206.6.176) and CertMine-Dev (129.206.4.74 for testing) on port 80.

Deutsch

IT Security