Create a signed server certificate

Admin

=Step 1: Generate a Private Key=

The first step is to create your RSA Private Key. This key is a 4096 bit RSA key which is encrypted using AES-256 and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -out server.key 4096

=Step 2: Generate a CSR (Certificate Signing Request)=

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://testsite.de, then enter testsite.de at this prompt. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:DE State or Province Name (full name) [Berkshire]:Bayern Locality Name (eg, city) [Newbury]:Muenchen Organization Name (eg, company) [My Company Ltd]:Max-Planck-Gesellschaft Organizational Unit Name (eg, section) []:Max Planck Digital Library Common Name (eg, your name or your server's hostname) []:testsite.de   Email Address []:name{at}mpdl.mpg.de    Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

=Step 3: Remove Passphrase from Key=

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase.

cp server.key server.key.org openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

=Step 4: Certificate signing by DFN=

Go to the following site and choose "Serverzertifikat"

https://pki.pca.dfn.de/mpg-g2-ca/cgi-bin/pub/pki?cmd=getStaticPage&name=index;RA_ID=1500

alt https://pki.pca.dfn.de/mpg-ca/cgi-bin/pub/pki?cmd=getStaticPage&name=index;RA_ID=1500

Fill the form and send it with your Certificate Signing Request (csr File).

Now you should get a form which is needed to sign by you and bring it to the IT-Department.

You should get an email from DFN-Verein, where you find your signed certificate.

=Step 5: Make the Root-CA certificate public=

openssl x509 -in ca_cert_from_dfn.pem -out .crt

=Step 6: Save the CA from DFN on the server=

Save the following CA certificate from the DFN Verein on the server.

wget --no-check-certificate https://pki.pca.dfn.de/mpg-g2-ca/pub/cacert/chain.txt

alt: https://pki.pca.dfn.de/mpg-ca/pub/cacert/chain.txt

mv chain.txt ca.crt

mv alle.crt nach /etc/ssl/certs falls noch nicht drin

mv alle.key nach /etc/ssl/private

mv *.key.org auf lokale Platte z.B: H:/

Now you are ready to use your certificate on the webserver.