GÉANT TCS certificates at Forschungszentrum Jülich
Table of Contents
A detailed certificate documentation is available in the intranet at https://intranet.fz-juelich.de/en/organization/it-portal/software_services/infrastructure/certificates
Apply for a user certificate
The JSC Office for User Services (building/room: 16.4 / 201, phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de, opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm) acts as an interface to the DFN-CA (subscriber service). The tasks of the participant service include, for example, authenticating the applicant using an official photo ID. The staff is also available to answer questions at any time.
User certificates of GÉANT TCS might be ordered for:
- FZJ employees with a valid FZJ mail address v.name@fz-juelich.de
- Function groups with valid function mail address. The applicant has to be the owner of the function mail address
Certificate application process
- Send an informal email to the JSC Office for User Services (user-services.jsc@fz-juelich.de) and ask for an user certificate. You do not have to send any signed form anymore
- In the case of user certificates, a personal authentication of the applicant at the JSC Office for User Services is required for the first application. The JSC Office for User Services is obliged to check your identity card.
You will be informed via email if an authentication is necessary. If so, this can be done personally or via video ident
Apply for a server certificate
SSL server certificates are used for SSL encryption of network services like https, ldaps, imaps. FZJ uses the GÉANT TCS service to get server certificates.
The following steps are required to generate a server certificate:
- Send an informal email to the JSC Office for User Services (user-services.jsc@fz-juelich.de) and ask for a lonk to apply for a server certificate
The Certficate Signing Request has to contain the following attributes:
- C=DE
- ST=Nordrhein-Westfalen
- O=Forschungszentrum Juelich GmbH
- CN=(fully qualified name of the server)
- EMail=(email address of the administrator)
Creation of a Certificate Signing Requests (CSR)
The Certficate Signing Request has to contain the following attributes:
Please be sure to observe the following instructions:
To generate the CSR, you either use tools provided by the respective server software or you use the corresponding OpenSSL command:
openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=Forschungszentrum Juelich GmbH/CN=www.example.org"
If the request should contain additional Subject Alternative Names (SANs), you might use the following OpenSSL command:
openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=Forschungszentrum Juelich GmbH/CN=www.example.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName= DNS:www.example.org,DNS:example.org,DNS:www.example.net,DNS:example.net"))
After the generation of the RSA private key you will be asked to enter a password. This so-called "PEM pass phrase" protects the generated RSA private key from unauthorized access.
The OpenSSL quick reference of the DFN-Verein provides further assistance.
Generate a PKCS#12 file from the private key and the associated certificate (PEM format)
With the OpenSSL command below, you can generate a PKCS#12 file (www.example.org.p12) from the private key (www.example.org-key.pem), the server certificate issued by the DFN-CA (signed-certificate.pem), and (optionally) the keychain (certificate-chain.pem). The keychain is the entire trust chain starting from the root certificate. If required, you can download it from the DFN-CA website.
openssl pkcs12 -export -inkey www.example.org-key.pem -certfile certificate-chain.pem -out www.example.org.p12 -in signed-certificate.pem
Subscriber Service
The Research Centre's Participant Service, which is part of the GÉANT TCS, is located at JSC Office for User Services.
JSC Office for User Services (building 16.4, room 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de)
Opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm
The employees of the PTJ field offices can submit the participant declaration required for registration on site:
- Contact in Bonn: +49 228 60884-254 und +49 228 60884-201
- Contact in Berlin: +49 30 20199-460, +49 3020199-3444, oder +49 3020199-3429
- Contact in Rostock: +49 381 20356-299
The same applies to employees in the JCNS field offices
- Contact in Jülich: +49 2461 61 2498
Employees of the Helmholtz Institute Erlangen-Nuremberg (IEK-11) can contact the following telephone number:
- Contact in Erlangen: +49 9131-12538205
Employees of the Helmholtz Institute Münster (IEK-12) can contact the following telephone number:
- Contact in Münster: +49 251 83-30008
Employees of the INM Düsseldorf can contact the following telephone number:
- Contakt in Düsseldorf: +49 2461 61 9167
Validity of the certificates
Certificate class | User certificate | Server certificate |
---|---|---|
GÉANT TCS | 2 years | 1 year |
Grid (DFN PKI) | 1 year | 1 year |