Skip to end of metadata
Go to start of metadata
Table of Content
 

Important Notes

Beta Phase

The Public Key Infrastructure Service is currently only available to faculty for research purposes.

Contact IT Support First

Before requesting a certificate as described below, consult Service Desk for Faculty and Staff first.

Unsolicited certificate requests will be removed without further notice.

User Certificate

Requesting the Certificate

Requirements

  • The web pages require JavaScript (and, in MSIE, ActiveX) to function properly.
  • You need access to the computer you generate the request with a few days later again.

Creating the Certificate

The following description is given for Microsoft Internet Explorer Version 5.

  • Browse to https://pki.pca.dfn.de/jacobs-university-ca-g2/pub.
  • If not already there, click on the tabs "Zertifikate" -> "Nutzerzertifikat".
  • In the form,
    • Enter your Jacobs University email address
    • Enter your Name EXACTLY AS WRITTEN in your official document (passport, Bundespersonalausweis) as Firstname followed by Lastname, a preceding Prof., Dr., or other title should be omitted
    • Don't enter anything in the "Abteilung" text box
    • Enter a PIN of at least 8 characters (be sure to remember this, there is no way to retrieve it; look out for different keyboard layouts and key assignements, esp. between English and German!)
    • Tick the "Ich stimme der Zertifizierungsrichtlinie zu." check box to agree to the conditions and terms of this service as published at https://info.pca.dfn.de/dfnpki-cp-cps/DFN-PKI_CP.pdf or at service description here.
    • Tick the "Ich stimme der Veröffentlichung des Zertifikats zu." check box to have the certificate published.
  • Click on "Weiter" to continue.


Check the information on the next page for correctness. Ignore the "Erweitere Optionen" option. If you have to change anything, click on "Ändern". If everything is okay, click on "Bestätigen".


A warning dialogue regarding "Potential Scripting Violation" appears, click on "Yes".


A dialogue appears telling the browser is "Creating a new RSA exchange key". Ignore the various options and click "OK".


Within an instant, a new certificate request is created. You have to print the resulting certificate request by clicking on "Zertifikatantrag anzeigen", which will result in a PDF document.

Paper Required

Fill the paper document, and sign it, exactly as you signed your official id document.

Bring the filled document, and your official identificiation document proving your name, either your passport or, for German citizens, your Bundespersonalausweis, to Service Desk for Faculty and Staff, during office hours.

Personal Appearance is REQUIRED

Certificates are all about personal authentication!

YOU HAVE TO APPEAR IN PERSON!

Sending the document or a copy by mail is not acceptable. Sending a proxy, friend, student, team assistant, trainee, etc. is also NOT POSSIBLE!

Please check the terms and conditions of this service at URL DFN CS.

(warning) Only members of Jacobs University are eligible to receive a personal certificate!

(lightbulb) The paper will remain at the IRC-IT office. If you require a copy, bring two printouts.

IRC-IT will check the given information based on the documents you provide.

Completing the Certificate

Certificate Information

After a while, you will receive an email (in German), from "cert-admin@jacobs-university.de", with the subject "Jacobs University CA Zertifikatinformation":

Sehr geehrte Nutzerin, sehr geehrter Nutzer,

die Bearbeitung Ihres Zertifizierungsantrags ist nun abgeschlossen.

Ihr Zertifikat mit der Seriennummer YOURCERTIFICATENUMBERHERE ist auf den Namen
YOURNAMEHERE
erstellt worden und im Anhang dieser Mail beigelegt.

Sie benötigen die Seriennummer, um Ihr Zertifikat gegebenenfalls sperren zu können.

Um Ihr Zertifikat nutzen zu können, müssen Sie alle folgenden Zertifikate in
Ihren Browser importieren. Achten Sie darauf, dass Sie die Zertifikate auf dem
Rechner importieren, von dem aus Sie den Antrag gestellt haben, weil sich dort
der zugehörige Schlüssel befindet.

1. Für die CA-Zertifikate wählen Sie bitte die Seite

https://pki.pca.dfn.de:443/jacobs-university-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=index;id=2

und folgen den Anweisungen.

2. Ihr eigenes Zertifikat erhalten Sie direkt über folgenden Link:

https://pki.pca.dfn.de:443/jacobs-university-ca/cgi-bin/pub/pki?cmd=getcert&key=YOURCERTIFICATENUMBERHERE&type=CERTIFICATE

Mit freundlichen Grüßen

Ihr PKI-Team der Jacobs University Bremen gGmbH

This gives you several inmportant information:

  • it gives you the serial number of your personal certificate
  • it provides you with the textual details of your personal certificate
  • it gives you the link for certificates, which you have to import in addition ("1.")
  • it gives you the link to complete your request from before, to create a full certificate ("2.")

Same Computer and Same Browser

For finalizing the certificate, you have to use the same computer and the same browser which you used to create the certificate request in the step before!

If you don't use Microsoft Browser on a Microsoft Operating system, you have to follow the link given at "1." and import all certificates from the tabs, from left to right.

See also How to import Jacobs University Certificates into Web Browsers.

Then, click on the link given at "2." in the email.


Click on "Zertifikat importieren".


The same warning message as above appears, click "Yes".


The message "Das Zertifikat wurde erfolgreich installiert. " appears.

Done

Congratulations, you now have a personal certificate, tracing its trust root back to the Deutsche Telekom Root Certificate Authority, and valid world-wide!

Exporting the Certificate

To make the certificate available to other applications, you have to export it into a file and import it into the respective application. The documentation is given for Microsoft Internet Explorer Version 5.

Security

Ensure, that the computer holding the key and the exported file is sufficiently protected!

  • Click Tools -> Internet Options -> Content -> Certificates
  • In the "Personal" tab, select your certificate, click on "Export..."
  • In the Wizard, click "Next >", click "Yes, export the private key", click "Next >", leave all options as they are, click "Next >", enter a STRONG password (twice for verification), click "Next >", specify a file name to save the key to, click "Next >", review the information (remeber the file path!) and click "Finish".
  • In the appearing warning dialogue titled "Exporting your private exchange key!", klick "OK".
  • A dialogue appears telling that "The export was successful."

You now have your private and public key of your certificate exported to a file on the computer. You can send this file around and import it into the application needing it.

Confidentiality

Use a strong password to not leak the information to anyone else.

Using the Certificate with Firefox 1.5 Englisch

Importing the Certificate

The documentation is given for Firefox Version 1.5.

  • Click "Tools", "Options".
  • In the "Advanced" tab, choose "View Certificates", the "Certifcate Manager" appears.
  • Click "Import".
  • Browse to the file as exported in the step before, select it, and click "Open".
  • Enter the password you assigned in the export step above.
  • The message "Successfully restored your security certificate(s) and private key(s)." appears.

Using the Certificate in Microsoft Outlook 2003 Englisch

Importing the Certificate

If the certificate has been generated with Microsoft Internet Explorer, or has been imported with this tool, Microsoft Outlook can immediately make use of the certificate, e.g. for signing emails.

Enable default Signing of Messages

  • Click "Tools" -> "Options..." -> "Security"
  • Tick the "Add digital signature to outgoing messages" check box.

Each message sent will now be cryptographically sealed, so that no-one can tamper it's content unnoticed.

Each time a message is sent, Outlook requests access to the certificate store.

Revoking the Certificate

In case of a security breach, you should immediately revoke your certificate. This will require the serial number and the PIN you defined upon creating the certificate. TBC

Your PIN

Treat your PIN as very confidential, and don't loose it!

Server Certificate

The easiest way to create the private key and the CSR is to use openssl. The majority of linux distributions comes with an installed version of openssl. If you are a Windows user or you can not use openssl for some reasons you can use the openssl installation on the Jacobs University login server. Open a ssh session to login.jacobs-university.de with your Campus.Net account and password. Windows users can use Putty to open the ssh session to login.jacobs-university.de.

The following procedure describes how to create a private key and a CSR from a windows copmuter using Putty to ssh to login.jacobs-university.de.

Start Putty and type 'login.jacobs-university.de' into the 'Host Name' field and click on SSH radio button Below the port field.

You may have to change the preferred SSH version from 1 to 2. Click on SSH on the left side to see all Options controlling the ssh connection. If '1' or '1 only' is selected change it to '2'.

Then Click on the 'Open' Button and accept the presented fingerprint. The fingerprint is shown in the picture below.

Then type your Campus.Net User name, hit enter and type your Campus.Net password. The login server presents your current quota usage and you get a promt to type the commands to create your private key and your CSR.

Creating Private Key and Certificate Signing Request

Create Private Key

openssl genrsa -out servername.key 2048

Create CSR (Certificate Signing Request)

The fields 'State or Province Name (full name) Some-State:', 'Locality Name (eg, city) []:' and 'Email Address []:' has to be blank. Openssl needs a '.' to leave the fields blank, otherwise the default values will be used.

openssl req -new -key servername.key -out servername.csr

Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Jacobs University Bremen gGmbH
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:servername.jacobs-university.de
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You can copy your new private key and CSR to your local computer with scp (Windows user can use pscp) or, more simple, copy and paste the content of both files into local textfiles.

The command 'cat' shows you the content of your new created files.

makaiser@login:~> cat mykey.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA4N6c56tyAQF2/N53dBSJ6JJnHKgKwOLu3ZcBbtEcbNE6vMM9
AtMMjr0kLcw2u25Mph8V8hD2xWTOQiAldtf8fgsit/IMjH2cHwa6pFkQEyHC6ZAm
uTcCB3NUS6TdRcs9UR4BBPMBedADUoG1abVE7fVeNOS+sFX/N4KvVNqcP0MW4GOY
fEC3rnkXku5NgyVD5vpyZeNDYTBf3fava/6VwQB64irZqHnJ6bexWb4HgaVsNdUK
dJIctafvZgVtRVQ60xoczEFa3cKddVcv2fzzyTzkApRtrAj7EtFFtfZ21MIhTKef
Pa/bORHF4cOUDFv+SHfSacwyJSV2rD01hpZkaXWgTpOa259QXINKcVeyJBSsMxPx
8vJe3g1GPm05ICdsAl+8Ky7BjslJXUxXAYxq3hJ57dOsLqlfXsPTwo7ebYulRi7f
VyADoNJhAoGBAPGv53HO54YEholX3bqBMTXhzBTRURtwo18zMcmJG1UaWycyqsT6
dJIctafvZgVtRVQ60xoczEFa3cKddVcv2fzzyTzkApRtrAj7EtFFtfZ21MIhTKef
Pa/bORHF4cOUDFv+SHfSacwyJSV2rD01hpZkaXWgTpOa259QXINKcVeyJBSsMxPx
8vJe3g1GPm05ICdsAldJIctafvZgVtRVQ60xoczEFa3cKddVcv2fzzyTzkApRtrA
Pa/bORHF4cOUDFv+SHfSacwyJSV2rD01hpZkaXWgTpOa259QXINKcVeyJBSsMxPx
8vJe3g1GPm05ICdsAl+8Ky7BjslJXUxXAYxq3hJ57dOsLqlfXsPTwo7ebYulRi7f
VyADoNJhAoGBAPGv53HO54YEholX3bqBMTXhzBTRURtwo18zMcmJG1UaWycyqsT6
+8Ky7BjslJXUxXAYxq3hJ57dOsLqlfXsPTwo7ebYulRi7fj7EtFFtfZ21MIhTKef
VyADoNJhAoGBAPGv53HO54YEholX3bqBMTXhzBTRURtwo18zMcmJG1UaWycyqsT6
qya0ifF9a2ATSYoFH/gcIZLZemyR1hUjUGjtyd+wriQ8jRyX8QAV578IlRjp649A
uhjrQBQLgM9p1C8lojE56ULeW6T4oJUeC9xz+FqnwVRcrKv0ZdCpESrDjMWnvVJd
IZ0yub65KZspbkBKNTHbo0+QZhvGMhtml1nQdP94MZAKRgYeS/UfedTOB0yVC0oR
XPgsR4ECgYEAo8wvPsE14Qj4EY92L9rt/9p5qiGMDNhYmFpx1Of4IGf3yAyJIPEQ
5daQL+eOhcgFP6R3KxGl3gSTXb6V5bclCj3LxJ37bkTFvlKV6EswB/uSv6f9P31H
JnncMEkE8DqSOgwScAZIMxVOgdCsiofk6R4gKeLyst2a61F5cMPWOg6NYuyn+M+I
geGNynyCX1OjqV2+SWaZ7+baXlTUW4Ls9e5LsM+Qn59QQw65hHogHfXCYwINQVq9
NhCifzq1AZjAtl4k7CCyFoECgYEAtJ1AMNNdgaUbXvZIhZDMlDKx/c1ZrF1Jdw25
uhjrQBQLgM9p1C8lojE56ULeW6T4oJUeC9xz+FqnwVRcrKv0ZdCpESrDjMWnvVJd
IZ0yub65KZspbkBKNTHbo0+QZhvGMhtml1nQdP94MZAKRgYeS/UfedTOB0yVC0oR
XPgsR4ECgYEAo8wvPsE14Qj4EY92L9rt/9p5qiGMDNhYmFpx1Of4IGf3yAyJIPEQ
5daQL+eOhcgFP6R3KxGl3gSTXb6V5bclCj3LxJ37bkTFvlKV6EswB/uSv6f9P31H
MYhrUxiGh/MHmkgc3DuqdI3dGSnEX1EUIin2f1wTYuaNbnN8Jcttp/I=
-----END RSA PRIVATE KEY-----
makaiser@login:~> 

BTW: I changed the content of my private key file (wink)

You may need to resize your Putty windows to see the complete content of the file. Mark the whole content with your mouse including the BEGIN RSA PRIVATE KEY and the END RSA PRIVATE KEY lines and paste it into Windows Notepad for example and safe the file. Do the same for the CSR - cat mycsr.csr.

Requesting the Certificate

Requirements

  • The web pages require JavaScript (and, in MSIE, ActiveX) to function properly.
  • You need access to the computer you generate the request with a few days later again.

The following description is given for Microsoft Internet Explorer Version 5.

  • Browse to https://pki.pca.dfn.de/jacobs-university-ca-g2/pub.
  • If not already there, click on the tabs "Zertifikate" -> "Serverzertifikat".
  • In the form,
    • Click on Browse and select the file in which you saved the CSR (the content of the file mycsr.csr)
    • Enter your Name EXACTLY AS WRITTEN in your official document (passport, Bundespersonalausweis) as Firstname followed by Lastname, a preceding Prof., Dr., or other title should be omitted
    • Enter your Jacobs University email address
    • Don't enter anything in the "Abteilung" text box
    • Enter a PIN of at least 8 characters (be sure to remember this, there is no way to retrieve it; look out for different keyboard layouts and key assignements, esp. between English and German!)
    • Tick the "Ich stimme der Zertifizierungsrichtlinie zu." check box to agree to the conditions and terms of this service as published at https://info.pca.dfn.de/dfnpki-cp-cps/DFN-PKI_CP.pdf or at service description here.
    • Tick the "Ich stimme der Veröffentlichung des Zertifikats zu." check box to have the certificate published.
  • Click on "Weiter" to continue.
  • Check the information on the next page for correctness. If you have to change anything, click on "Ändern". If everything is okay, click on "Bestätigen".

    Within an instant, a new certificate request is created. You have to print the resulting certificate request by clicking on "Zertifikatantrag anzeigen", which will result in a PDF document.

Paper Required

Fill the paper document, and sign it, exactly as you signed your official id document.

Bring the filled document, and your official identificiation document proving your name, either your passport or, for German citizens, your Bundespersonalausweis, to Service Desk for Faculty and Staff, during office hours.

Personal Appearance is REQUIRED

Certificates are all about personal authentication!

YOU HAVE TO APPEAR IN PERSON!

Sending the document or a copy by mail is not acceptable. Sending a proxy, friend, student, team assistant, trainee, etc. is also NOT POSSIBLE!

(warning) Only members of Jacobs University are eligible to receive a personal certificate!

(lightbulb) The paper will remain at the IRC-IT office. If you require a copy, bring two printouts.

IRC-IT will check the given information based on the documents you provide.

Completing the Certificate

Certificate Information

After a while, you will receive an email (in German), from "cert-admin@jacobs-university.de", with the subject "Jacobs University CA Zertifikatinformation". Follow the instructions therein to complete the certificate creation.

Grid Certificate

If you are participating in European Grid projects, IRC-IT can also issue user certificates and server certificates according to European Policy Management Authority for Grid Authentication (EUGridPMA).

Grid User Certificate

Almost the same as above. Use this URL to create a user certificate.

Click on "Beantragen eines Zertifikats", then "Zerifikatantrag für Nutzer",

  • at Zertifikatdaten
    • enter your email address and full name (no titles, no umlaute)
    • DON'T enter a department
  • at Nutzerangaben
    • enter your email address again
    • DON'T enter a department
    • telephone number is optional
    • enter a PIN twice. You'll need this for revoking the certificate, don't loose it
  • accept the certification policy
  • accept publication of the certificate

Click on Weiter, select the default security provider, accept the certificate generation.

Print the document and visit Service Desk for Faculty and Staff during open office hours, personally, with an official photo id (passport, Bundespersonalausweis).

Grid Server Certificate

Almost the same as above. Use this URL to create a server certificate.

  • No labels

2 Comments

  1. A nifty hint for using these certificated in a Microsoft IIS:

    openssl pkcs12 -export -in servername.pem -inkey servername.key -certfile cacert.crt -out servername.p12

    You will be asked for an export password, which you need during import in IIS.

  2. PLEASE NOTE: that you actually need to enter the city and state for the server certs

    ie.

    State or Province Name (full name) [Some-State]:Bremen
    Locality Name (eg, city) []:Bremen