How-to Create a Server Certificate
The following how-to explains how to create a server certificate.
Please note that the person requesting the certificate must be registered as an IT representative, an EDP representative, a certificate representative or an employee at the URZ.
1a) Generate a ECC key pair using tools provided by your server operating system.
On Linux, use:
openssl ecparam -out server.key -name secp384r1 -genkey
chmod og-rwx server.key
1b) If you need compatibility with older systems, you can create an RSA key pair instead:
dd if=/dev/urandom of=randfile bs=4096 count=1
openssl genrsa -out server.key -rand randfile 4096
chmod og-rwx server.key
2a) To create the CSR, use the following command:
openssl req -new -key server.key -out server.csr
For this, you will need the following information:
- Country C=DE
- State ST=Baden-Wuerttemberg
- Organization O=Ruprecht-Karls-Universitaet Heidelberg
- "Common Name" CN= (full qualified server name as in the name server)
2b) If SAN is to be used, you can download our Config file. Subsequently, both the CN and all SANs must be adjusted accordingly. The CSR itself is created with:
openssl req -new -key server.key -out server.csr -config server.conf
3) Copy the Certificate Sign Request "server.csr" on your local system and access the university page to request server certificates "CaeSaR" from within the university network or using our VPN.
4) On this page, log in with your ID and password. Only IT or EDP representatives, certificate representatives and URZ employees will be permitted to login.
5) Now upload the previously created CSR via the web form and enter the email addresses to which you would like to receive status messages about your application. Then, click the button "Angaben prüfen".
6) On the following page, carefully check that all the information is correct. If all information is correct, you can now send your application by clicking the button "CSR einreichen".
7) You will now be shown a confirmation that your certificate has been requested. You will then have the option of applying for further certificates or logging out. You will now receive a confirmation email from the provider Sectigo that the certificate verification is pending. If you do not receive this email, please contact us at zertifikate@urz.uni-heidelberg.de
8) The URZ will check the application and usually will approve it by the next working day if all the data is correct. If there are any questions, we will contact you. You will then receive an email with instructions on how to download the certificate for all the addresses that were entered in Step 5.
9) The certificate file and any certification chains must then be copied to the server and entered in the web server.