DFN-PKI certificates at Forschungszentrum Jülich
Table of Contents
From December, 23 server certificates won't be provided by DFN-PKI (Global) anymore. From then server certificates will be provided by the GÉANT TCS certificate authority. All server certificates, that have been issued by the DFN-CA already will stay valid.
The research center uses the DFN-Verein Global Issuing CA (DFN-CA) and the GÉANT TCS CA to manage user and server certificates. These enable the use of cryptographic procedures to secure data transmission. The JSC-Dispatch acts as an interface to the DFN-CA (subscriber service
The JSC Office for User Services (building/room: 16.4 / 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de, opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm) acts as an interface to the DFN-CA (subscriber service). The tasks of the Participant Service include, for example, authenticating the applicant using an official photo ID. Of course, the staff is also available to answer questions at any time.
Certificates of DFN Global-CA might be ordered for:
- FZJ employees with a valid FZJ mail address v.name@fz-juelich.de
- Function groups with valid function mail address. The applicant has to be the owner of the function mail address.
- External certificate holders, if the necessity arises from cooperation with Forschungszentrum Jülich. In this case, the name in the certificate must be preceded by EXT: (EXT: Gabi Mustermann).
- Code Signing. In this case either a personal certificate, preferably a pseudonym certificate with a name of the form "PN: <first name last name> - CodeSigning", or a group certificate ("GRP: CodeSigning <group name>") has to be applied for.
Apply for a user certificate
Certificates of DFN Global-CA might be ordered for:
- FZJ employees with a valid FZJ mail address v.name@fz-juelich.de
- Function groups with valid function mail address. The applicant has to be the owner of the function mail address.
- External certificate holders, if the necessity arises from cooperation with Forschungszentrum Jülich. In this case, the name in the certificate must be preceded by EXT: (EXT: Gabi Mustermann).
- Code Signing. In this case either a personal certificate, preferably a pseudonym certificate with a name of the form "PN: <first name last name> - CodeSigning", or a group certificate ("GRP: CodeSigning <group name>") has to be applied for.
The user certificates web interface provided by DFN-Verein supports the user
- to generate a key pair
- to complete a certificate application, that has to be signed and submitted in person to the subscriber service at the JSC Office for User Services together with an official photo ID (ID card/passport). The authentication via video identification is possible, too.
Provided that the personal identification is not older than 39 months, it is sufficient to send the application to JSC Office for User Services (user-services.jsc[at]fz-juelich.de) by mail or signed email.
The employees of the field offices can also carry out the personal identification on site in each case. The respective contact information is provided below on this page.
If all requirements are met, the participant service will initiate the creation of the certificate by the CA. The applicant will be informed of the completion by email. By means of a link in this email, the certificate can be imported into the browser with which the key pair has been generated.
To apply for your certificate you have to use either Firefox, Chrome, Microsoft Chromium Edge, or Safari. The use of Microsoft's own browsers Internet Explorer and Edge is NOT possible.
- Go to the user certificates web interface.
- Select User certificate
- Enter your name, email address, (optionally) the abbreviation of your organizational unit, and the revocation PIN. The personal note is for your information only and can be omitted.
- After clicking Next, you can check the application again and change it if necessary.
- Clicking Save application file sends the application and creates a local backup file that must be saved.
Attention: After uploading the application file Firefox asks in a pop-up window how to proceed with the application file. In this dialog, "Save file" must be explicitly marked before OK is pressed.
Since this application file also contains the private key, it must be protected by a password. The download folder is defined in the browser settings. - With Download certificate application form (PDF) you will get the application form for printing or saving in the form of a PDF file. Submit this signed application form to the participant service in JSC Office for User Services either personal, via mail or via signed email (user-services.jsc[at]fz-juelich.de).
- Wait for the approval by the Participant Service & the completion of the certificate by the DFN-CA.
- You will get an email by DFN-CA via a signed email from dfnpki-mailsender-noreply@dfn-cert.de once the certificate has been completed. This email contains web links, so please check your SPAM folder if necessary.
- Please follow the link to your own certificate and select the application file you saved when applying. After entering the password, press Next.
- With Save certificate file you now can generate a PKCS#12 file. In addition to the certificate, this file also contains the corresponding private key of the owner. It must therefore be protected with a strong password. The file can now be imported into the Windows certificate store in applications, e.g. in Thunderbird or for use with Outlook
Apply for server certificates
Server certificates are used for SSL encryption of network services like https, ldaps, imaps, ...
The following steps are required to generate a server certificate:
- Generate a Certificate Signing Request (CSR). In some cases, the applications provide tools for generating this file; in other cases, the request must be generated using an OpenSSL command.
- Submitting the Certificate Signing Request (CSR) to the CA using the web interface.
- Transmission of the signed certificate request to the subscriber service (JSC Office for User Services) by mail or signed email.
- Afterwards the CA will send a link to the generated certificate by e-mail the applicant.
The Common Name (CN) and all requested Subject Alternative Names (SAN) has to be available in the JuNet database. The respective administrators of the servers stored in the JuNet database are authorized to apply.
The certification guideline of the DFN-CA specifies that the subject has to contain the following attributes:
- C=DE
- ST=Nordrhein-Westfalen
- L=Juelich
- O=Forschungszentrum Juelich GmbH
- CN=(fully qualified name of the server)
- EMail=(email address of the administrator)
Please be sure to observe the following instructions:
- Please note upper and lower case.
- Please do not use German umlauts and ß!
Creation of a Certificate Signing Requests (CSR)
To generate the CSR, you either use tools provided by the respective server software or you use the corresponding OpenSSL command:
openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Juelich/O=Forschungszentrum Juelich GmbH/CN=www.example.org"
If the request should contain additional Subject Alternative Names (SANs), you might use the following OpenSSL command:
openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Juelich/O=Forschungszentrum Juelich GmbH/CN=www.example.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName= DNS:www.example.org,DNS:example.org,DNS:www.example.net,DNS:example.net"))
After the generation of the RSA private key you will be asked to enter a password. This so-called "PEM pass phrase" protects the generated RSA private key from unauthorized access.
The OpenSSL quick reference of the DFN-Verein provides further assistance.
Application process of a server certificate (GÉANT TCS)
- Create a Certificate Signing Request (see previous FAQ)
- Go to the server certificate request pages
- The authentification is managed by the Research Centre Jülich central identity provider
- Choose at Your Institution Forschungszentrum Jülich GmbH (FZJ) and provide your user information
- You will be forwarded to the SECTIGO Certificate Managers pages. Please wait until the page has been loaded completely. If you have already applied for GÉANT TCS server certificates, you will find them there.
- Go to Enroll Certificate
- You will be forwarded to the SSL Certificate Enrollment page. Please ignore the Enroll with Access Code
- Go to Select Enrollment Account and select Forschungszentrum Jülich GmbH as Account
- The certificate profile OV Multi-Domain contains already all common server certificate profiles, as LDAP-Server, Shibboleth IdP SP, Mail Server, Radius Server, VPN Server, ...
- With Upload CSR provide your CSR in PKCS#10 format. You might provide additional Subject Alternative Names (SANS)
- In the External Requesters field you might provide additional email addresses
- Choose Auto Renew, if the CSR should be uploaded automatically in case of the certificate expiration
- With Submit your CSR will be uploaded to GÉANT TCS. You will be forwarded to the SECTIGO Certificate Manager pages. You will find your certificate application there. After the user service will have issued your certificate you might download your certificate from there. Additionally you will get an email with your certificate from support@cert-manager.com
- In most cases the download as Certificate only, PEM encoded will be sufficient. Damit wird das einzelne Zertifikat in einer Datei heruntergeladen oder der Download als as Certificate (w/ issuer after), PEM encoded. Diese Datei enthält zusätzlich zu dem Zertifikat auch noch die Zertifikatskette.
- Download certificate chain (see also the DFN pages)
- Finally, create a PKCS#12 file (see next FAQ)
Application process of a server certificate (DFN-PKI Global)
- Create a Certificate Signing Request (see previous chapter).
- Navigate to the server certificate request pages.
- Upload the CSR as PKCS#10 certificate request (PEM formatted file)
- Select the certificate profile (default: Web Server)
- Enter your name, email address, (optionally) your organizational unit identifier, and revocation PIN.
- After clicking Next, you can check the application again and make any necessary changes.
- With Download certificate application form (PDF) you will receive the application form. Please sign this and send it to the Participant Service in JSC Office for User Services either personal, by mail or by signed email (user-services.jsc[at]fz-juelich.de).
- Wait for the approval by the Participant Service and the completion of the certificate by the DFN-CA.
- You will get an email by DFN-CA via a signed email from dfnpki-mailsender-noreply@dfn-cert.de once the certificate has been completed. This email contains web links, so please check your SPAM folder if necessary.
- Save the certificate contained in the email in PEM format.
- Create a PKCS#12 file with the key file generated in the CSR and the certificate sent by the CA (see next chapter).
Generate a PKCS#12 file from the private key and the associated certificate (PEM format)
With the OpenSSL command below, you can generate a PKCS#12 file (www.example.org.p12) from the private key (www.example.org-key.pem), the server certificate issued by the DFN-CA (signed-certificate.pem), and (optionally) the keychain (certificate-chain.pem). The keychain is the entire trust chain starting from the root certificate. If required, you can download it from the DFN-CA website.
openssl pkcs12 -export -inkey www.example.org-key.pem -certfile certificate-chain.pem -out www.example.org.p12 -in signed-certificate.pem
Subscriber Service
The Research Centre's Participant Service, which is part of the DFN-PKI, is located at JSC Office for User Services.
JSC Office for User Services (building 16.4, room 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de)
Opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm
The employees of the PTJ field offices can submit the participant declaration required for registration on site:
- Contact in Bonn: +49 228 60884-254 und +49 228 60884-201
- Contact in Berlin: +49 30 20199-460, +49 3020199-3444, oder +49 3020199-3429
- Contact in Rostock: +49 381 20356-299
The same applies to employees in the JCNS field offices
- Contact in Jülich: +49 2461 61 2498
Employees of the Helmholtz Institute Erlangen-Nuremberg (IEK-11) can contact the following telephone number:
- Contact in Erlangen: +49 9131 85-20843
Employees of the Helmholtz Institute Münster (IEK-12) can contact the following telephone number:
- Contact in Münster: +49 251 83-30008
Employees of the INM Düsseldorf can contact the following telephone number:
- Contakt in Düsseldorf: +49 2461 61 9167
Validity of the certificates
Certificate class | User certificate | Server certificate |
---|---|---|
GÉANT TCS | 1 year | |
Global (DFN PKI) | 3 years | - |
Grid (DFN PKI) | 1 year | 1 year |
Further information and instructions (in German)
- Einsatz von X.509v3-Zertifikaten im FZJ (TKI-0365: ein Überblick, PDF)
- Informationen für Zertifikatinhaber in der DFN-PKI
- FAQ Zertifikate (DFN)
- OpenSSL-Kurzreferenz (DFN)