What are server certificates used for?

Server certificates are used to enable a secure connection between server and client, for example, when sensitive data is to be transferred over a public network. The best-known example is the web server. Secure connections start with an https and are specially highlighted in the address bar of browsers.

Please note! Important IT security message

The German Federal Office for Information Security (BSI) strongly recommends the use of SSL/TLS certificates with a key length of at least 3072 bits (but no more than 4096 bits) in guideline TR-02102-2 ((https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html). A longer key length offers a higher level of security against cryptographic attacks.

Therefore, please check whether your current SSL/TLS certificates (server certificates) have a sufficiently large key length. If you are currently using server certificates with a smaller key length, we recommend that you migrate to server certificates with a key length of at least 3072 bits as soon as possible.

Please note that the private key must also be replaced. The script (certificateapplication.sh) on login.uni-hohenheim.de has now been adapted to a key length of 4096 bits.

!Please note! Important IT security message

The German Federal Office for Information Security (BSI) strongly recommends the use of SSL/TLS certificates with a key length of at least 3072 bits (but no more than 4096 bits) in guideline TR-02102-2 (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html). A longer key length offers a higher level of security against cryptographic attacks.

Please therefore check whether your current SSL/TLS certificates (server certificates) have a sufficiently large key length. If you are currently using server certificates with a smaller key length, we recommend that you migrate to server certificates with a key length of at least 3072 bits as soon as possible.

Please note that the private key must also be replaced. The script (certificateapplication.sh) on login.uni-hohenheim.de has now been adapted to a key length of 4096 bits.

Request server certificate via web form

Server certificates can be obtained via a web form.
Unfortunately, no automated renewal of the certificate is possible via this method. Therefore, you need to do it manually.

Requirements / preparation

  • Hohenheim user account (for login via our IDP)
  • Assignment of the Hohenheim user account to a facility. This only needs to be done once. Please contact us by e-mail at kim-pki@uni-hohenheim.de and tell us not only your user ID but also the subdomain that your institution uses.
  • The FQDN for the server is fixed (e.g., servername.[subdomain.]uni-hohenheim.de) and registered in the DNS.
    [If not already done, please request an IP address and DNS name at kim-dns@uni-hohenheim.de.]
  • The CSR of the server is requested in the form. Please prepare this.

    For the simple creation of a certificate request, we provide a script to guide you through the process. You can use it by logging into your Hohenheim user account on login.uni-hohenheim.de with ssh and starting the script there:

    user@login1:~> certificateapplication.sh

What to do

  • If you meet the above requirements and have made all preparations, call up the following URL in your browser and select "University of Hohenheim - uni-hohenheim.de" under "Your Institution":
    https://cert-manager.com/customer/DFN/ssl/hoh-servercertificate
  • Authenticate yourself with your Hohenheim username and the corresponding password.
  • Now select in the lower area under "Select Enrollment Account" the entry "Universität Hohenheim - [institution name] (Server Certificate)" which is provided with the appropriate institution for you.
    If you are not directly in this enrollment view, but in the "Certificate List" view, please select the green button "Enroll Certificate" in the upper right corner.
  • Now fill in all the required fields.
    • Certificate Profile & Certificate Term should not be changed!
    • You can paste the CSR under the button "Upload CSR" or via Copy & Paste in the field below.
    • If you did not specify a "Subject Alternative Name" when you created the CSR and now want to, you can enter it here.
    • Under "External Requesters" you can specify additional email addresses that should be informed about the creation, renewal, revocation, or deletion of the certificate. Please separate multiple entries with a comma.
    • Under "Comments" please enter the type of server (e.g., web server).
    • If the Auto Renew button is enabled, you can specify how many days before the certificate expires you want to request a new certificate. This option does not extend the previous certificate! As soon as we receive and approve the new application, you will receive another email in which you can download the new certificate.
    • Once you submit the request via "Submit", we will review the request and respond to you.

Certificate formats

Once you have received the email from the Certificate Service Manager, you can download the certificate using the links in various formats in the email. Below you will find a brief summary of the different formats:

  • as Certificate only, PEM encoded:
    Contains only the server certificate in PEM format.
  • as Certificate (w/ issuer after), PEM encoded:
    Recommended for Apache/nginx
    First the server certificate, then the issuing CA certificate and then other CA certificates in the CA chain, but do not include the root CA certificate in PEM format.
  • as Certificate (w/ chain), PEM encoded:
    Contains the root CA certificate, as well as the intermediate CA certificates and finally the server certificate in PEM format.
  • as PKCS#7:
    Recommended for MS Windows Server with IIS
    Contains a binary PKCS#7 structure consisting of first the server certificate, then the issuing CA certificate, then other CA certificates in the CA chain, and finally the root CA certificate.
  • as PKCS#7, PEM encoded:
    Contains a binary PKCS#7 structure in PEM format consisting of first the server certificate, then the issuing CA certificate, then other CA certificates in the CA chain, and finally the root CA certificate.
  • as Root/Intermediate(s) only, PEM encoded:
    Contains the CA certificate chain (without the server certificate) from the root CA (first) to the issuing CA of the server certificate in PEM format.
  • as Intermediate(s)/Root only, PEM encoded:
    Contains the CA certificate chain (without the server certificate) from the issuing CA of the server certificate (first) to the root CA certificate in PEM format.

FAQ

WebForm

The validity is 365 days (1 year).

Yes! You will receive the first reminder 30 days before your certificate expires. The second reminder will be sent 14 days before your certificate expires.

Please do not request a certificate! First, send us an email with the note "Missing account" and the FQDN (e.g. server1.subdomain.uni-hohenheim.de) of the server to be certified to kim-pki@uni-hohenheim.de. We will create an account for you and inform you when it has been created. After this, you can select your institute/department under "Select Enrollment Account".

When creating the CSR using our certificateapplication.sh script (as described in our instructions under “Prerequisites / Preparations” ), the private key is usually stored in your home directory (CIFS) /home/[first letter of username]/[username]/[specified FQDN of server]/.
If you did not use the above script and generated your CSR and private key yourself, you will find the private key in your self-specified directory.

ACME

If you receive the following or a similar error message, you are not authorized to obtain a certificate for the named (sub)domain. Check the mentioned (sub)domain for spelling mistakes or submit an application for the domain via kim-pki@uni-hohenheim.de.

acme.messages.Error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The identifiers are not all linked to the same preauthorized Subject organization name/address
2023-03-30 17:12:48,832:ERROR:certbot._internal.log:An unexpected error occurred:
2023-03-30 17:12:48,832:ERROR:certbot._internal.log:The identifiers are not all linked to the same preauthorized Subject organization name/address


Do you have questions or comments about this site? contact form