How-toCreate a server certificate

The following instructions explain how you can create a server certificate.

Please note that the person making the request must be registered as an IT officer, IT representative, certificate officer or employee at the URZ.

Service Catalogue Entry: Server Certificate

1a) Generate an ECC key pair with the means of your server operating system.
Under Linux, use the following for this
    openssl ecparam -out server.key -name secp384r1 -genkey
   chmod og-rwx server.key
1b) If compatibility with old systems is required, an RSA key pair can be created as an alternative:
   dd if=/dev/urandom of=randfile bs=4096 count=1
   openssl genrsa -out server.key -rand randfile 4096
   chmod og-rwx server.key

2a) The following command is used to create the CSR:
openssl req -new -key server.key -out server.csr
The following information is required:

Country C=DE
Province ST=Baden-Wuerttemberg
Organization O=Ruprecht-Karls-Universitaet Heidelberg
„Common Name“ CN= (fully qualified server name as in the name server)

2b) If SAN are used, our config file can be downloaded. Subsequently, both the CN and all SANs must be adapted accordingly. The CSR itself is then created with:
openssl req -new -key server.key -out server.csr -config server.conf

OpenSSL configuration template

3) Copy the Certificate Sign Request "server.csr" to your local system and call up the university page for requesting server certificates "CaeSaR" either from the university network or the VPN.

CaeSaR: The service for submitting certificate applications (from the university network)

4) Log in here with your ID and password. Only IT or EDP representatives, certificate officers and employees of the URZ are permitted to log in.

5) Now upload the previously created CSR via the web form and enter the e-mail addresses below to which you will be sent status messages about your application. Then click on the "Check details" button.

6) On the following page, check that all the information is correct. If all the details are correct, you can now submit your application by clicking the "Submit CSR" button.

7) You will now see a confirmation that your certificate has been requested. You then have the option of requesting further certificates or logging out. You will now receive a confirmation e-mail from the provider Sectigo that the certificate has not yet been checked. If you do not receive this, please contact us at zertifikate@urz.uni-heidelberg.de

8) The URZ will now check the application and normally release it by the next working day if all the data is correct. If anything is still unclear, we will call you. All addresses entered in step 5 will then receive an e-mail with instructions on how to download the certificate.

9) The certificate file and any certification chains must then be copied to the server and entered in the web server.