link to homepage

Institute for Advanced Simulation (IAS)

Navigation and service

Information about Server Certificates


Starting in February 2017, server certificates of the new generation of the DFN-PKI (Global-G2) have been issued.
The information on this page for applying for a server certificate remains unchanged. However, there is one important change that server administrators must consider:

The certification chain has changed from the old hierarchy, using both a new root certificate and new certificates for intermediate CAs. All these certificates can be found on the application pages of the DFN-PCA. The root certificate is already integrated in the current versions of the affected applications.

When an old server certificate is replaced with a new one, it must be ensured that the certificate chain is adapted.

Request server certificates (Global)

To apply for a server certificate, you must first create a so-called Certificate Signing Request (CSR). This is then integrated into the certificate request via the web interface. An application form must be printed out, signed and transmitted to Teilnehmerservice at JSC.

To generate the request, you either use tools that are provided by the respective server software or use openssl. The documentation includes an openssl quick reference. The minimum length of the RSA keys in the global hierarchy is 2048 bytes.

In any case, information must be provided in this process that forms the unique name of the certificate subject. The certification policy of DFN-PCA specifies that the subject consists of the following - possibly [optional] attributes:

  • C = DE
  • ST = Nordrhein-Westfalen
  • L = Jülich
  • O = Forschungszentrum Jülich GmbH
  • [OU = (OU)]
  • CN = (fully qualified name of the server)
  • Email = (email address of the administrator)

Please note the following:

  • entries are case sensitive
  • the character set to use can be found in the DFN-PKI Certification Policy (Section 3.1.4); in particular umlauts and ß can not be used

Generating the keys and Certificate Signing Request (CSR) for servers with openssl

In the following openssl sequence, the fields for which entries must be made are printed bold. To make sure the other fields are left blank, you must enter a period when using openssl. The entered password (PEM pass phrase) protects your keys and must not be lost.
When creating a server CSR, the fully qualified domain name of the server must be entered for the common name. The following e-mail address must then be the one of the system administrator.


openssl req -newkey rsa: 2048 -keyout key.pem -out servername_CSR.pem

Generate a private 2048-bit RSA key
.......................... +++
........................................... +++
writing new private key to 'key.pem'
Enter the PEM passage:
Verify - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country name (2 letter code) [AU]: DE
Name of the state or province (full name): Nordrhein-Westfalen
Locality name (eg city) []: Juelich
Organization Name (eg company) [Internet Widgets Pty Ltd]: Forschungszentrum Juelich GmbH
Organizational Unit Name (eg section) [] :.
Common name (eg YOUR name) []:
Email address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [] :.
An optional company name [] :.


The execution of the openssl command creates two files:

  • key.pem contains the private key, this file is protected by the entered password and must be stored carefully.
  • servername_CSR.pem: This file contains the certificate signing request that must be transmitted to DFN-CERT Services using the web interface. The content of the request can be checked with the command
    openssl req -noout -text -in servername_CSR.pem

The completed certificate will be sent to the administrator by e-mail.