Versions Compared

Old Version 19

changes.mady.by.user Sichler Wolfgang (ID)

Saved on

compared with

New Version Current

changes.mady.by.user Sichler Wolfgang (ID)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of contents:

Table of Contents
maxLevel2


Excerpt Include
IT Knowledge Base
IT Knowledge Base
nopaneltrue
Note

Switch to the page in German language


Info
titleService Information and Update

Blog eintrag




Create a CSR (Certificate Signing Request)

Warning
titleWarning!

To obtain a TLS/SSL certificate, a so-called csr file must be created first.


How to create CSR
Expand
titleAnleitung erstellen How to create CSR

Guidance for Linux at SWITCH.

Expand
title

On Windows systems this can be done as follows:

First, an inf file must be created. The following content can be used as a template for this:


[NewRequest]

Subject = "CN=DemoServer.ethz.ch,O=ETH Zurich,C=CH"

KeyLength =  2048

KeySpec = 1

Exportable = False

ProviderName = "Microsoft Software Key Storage Provider"

HashAlgorithm = SHA256

MachineKeySet = True

SMIME = False

UseExistingKeySet = False

RequestType = PKCS10

KeyUsage = 0xA0

Silent = True

[Extensions]

2.5.29.17 = "{text}"

_continue_ = "dns=Demo.ethz.ch&"

_continue_ = "dns=AuchDemo.ethz.ch&"


Note
titleCustomize server name
Please replace the server names in the above example with your own information.


Note
titleTarget server

If the csr file is not created on the system where the certificate is to be used later, the "Exportable" parameter must be set to "True", since it will be necessary to install the certificate first on the Windows system on which the csr file and thus the private key were created.


With "certreq -new Demo.inf Demo.csr" the csr-file is created.





Obtain TLS/SSL certificate


Expand
titleHow to obtain TLS/SSL certificate



  • Press "Request Certificate".

There are three profiles to choose from. The names are completed by the support group.

  • ETH WebServer:
    internally trusted towards the ETH Root Certification Authority. ETH Root certificate and ETH Issuing certificate must be installed on the systems involved (Download PKI security certificates). No restriction of number of addresses. Can be issued for one, two or three years. Browsers accept only certificates valid for one year, but for web service between two servers longer validity can be used.

  • DC WebServer:
    Publicly trusted to the DigiCert Root Certification Authority. Validity one year. Number of addresses unlimited.When billing, one certificate is charged for every six addresses.


Upload the CSR via "Choose File".


  • Select the validity of the ETH WebServer.

  • Insert a valid mail address at "Recipient Email".

  • Press the "Request" button.

  • After a few seconds, the certificate will be ready for download.


  • At "Show Delivery Formats ..." the format for downloading can be selected and whether the root and Intermediate certificate is included or not 

  • If the certificate is needed again later, it can be downloaded again at any time.




Installation TLS/SSL-Zertifikat


Expand
titleHow to install TLS/SSL-Zertifikat


  • Open file.

  • Press Install Certificate.

  • Local Machine. Next.

  • Possibly user and password of an administrator are requested.

  • Next.

  • Finish.


Note

If the certificate is used on another server, then the certificate including the private key must be exported.

Call the certificate management with certlm.msc.

Export the server certificate with private key.




Renew TLS/SSL-Zertifikat

Expand
titleAnleitung Erneuern TLS/SSL-Zertifikat


  • When a TLS/SSL certificate expires, an email is sent to the email address stored with the certificate 60, 30, 10 and 5 days before expiry with the request to renew the certificate.

  • It is best to copy the serial number from the e-mail and use it to search for the certificate in the PKI frontend


  • At the bottom of the page you find the "Renew" Button


Warning
titleWarning!

Due to the migration from QuoVadis to DigiCert, it is not longer possible to request or renew a certificate from QuoVadis.  The renew-button is greyed out.

Instead you have to order a new certificate from DigiCert. (Profil starts with DC WebServer)

To cancel renewal notifications you can revoke the old certificate after installing the new certificate


  • Order a new certificate with "Request Certificate ...".


It is not possible to order a so-called soft token via our PKI, but the button cannot be hidden. If you press this button, you will receive an error message that you are not authorized.


  • From that point the procedure is identical to a new order. Select profile, upload csr and then Renew (instead of Request).
  • For the further procedure, see "Obtaining a TLS/SSL certificate" and "Installing a TLS/SSL certificate"


Warning
titleWarning!

The difference between renewing a certificate and obtaining a new certificate is that when renewing, the status "Replaced" is entered for the expiring certificate in the database and that from this point no more reminder emails are sent regarding the expiring certificate.