Page tree
Skip to end of metadata
Go to start of metadata

Table of contents:



Support

Please contact us via SmartDesk, e-mail servicedesk@id.ethz.ch or by phone at +41 44 632 77 77

Service Information and Update

Blog eintrag



Create a CSR (Certificate Signing Request)


Warning!

To obtain a TLS/SSL certificate, a so-called csr file must be created first.

 How to create CSR

On Windows systems this can be done as follows:

First, an inf file must be created. The following content can be used as a template for this:


[NewRequest]

Subject = "CN=DemoServer.ethz.ch,O=ETH Zurich,C=CH"

KeyLength =  2048

KeySpec = 1

Exportable = False

ProviderName = "Microsoft Software Key Storage Provider"

HashAlgorithm = SHA256

MachineKeySet = True

SMIME = False

UseExistingKeySet = False

RequestType = PKCS10

KeyUsage = 0xA0

Silent = True

[Extensions]

2.5.29.17 = "{text}"

_continue_ = "dns=Demo.ethz.ch&"

_continue_ = "dns=AuchDemo.ethz.ch&"

Customize server name

Please replace the server names in the above example with your own information.

Target server

If the csr file is not created on the system where the certificate is to be used later, the "Exportable" parameter must be set to "True", since it will be necessary to install the certificate first on the Windows system on which the csr file and thus the private key were created.


With "certreq -new Demo.inf Demo.csr" the csr-file is created.



Obtain TLS/SSL certificate



 How to obtain TLS/SSL certificate

There are three profiles to choose from. The names are completed by the support group.

  • ETH WebServer:
    internally trusted towards the ETH Root Certification Authority. ETH Root certificate and ETH Issuing certificate must be installed on the systems involved (Download PKI security certificates). No restriction of number of addresses. Can be issued for one, two or three years. Browsers accept only certificates valid for one year, but for web service between two servers longer validity can be used.

  • QV WebServer:
    Publicly trusted to the QuoVadis Root Certification Authority. Validity one year. Number of addresses limited to one (if more than one is specified in the CSR, only the first one is used).

  • QV WebServer 10SAN:
    Publicly trusted to the QuoVadis Root Certification Authority. Validity one year. Number of addresses limited to ten. Billing distinguishes between certificates with up to three addresses and certificates with four to ten addresses.


Upload the CSR via "Choose File".


  • Select the validity of the ETH WebServer.

  • Insert a valid mail address at "Recipient Email".

  • Press the "Request" button.

  • After a few seconds, the certificate will be ready for download.


  • At "Show Delivery Formats ..." the format for downloading can be selected and whether the root and Intermediate certificate is included or not 

  • If the certificate is needed again later, it can be downloaded again at any time.


Installation TLS/SSL-Zertifikat


 How to install TLS/SSL-Zertifikat
  • Open file.

  • Press Install Certificate.

  • Local Machine. Next.

  • Possibly user and password of an administrator are requested.

  • Next.

  • Finish.

If the certificate is used on another server, then the certificate including the private key must be exported.

Call the certificate management with certlm.msc.

Export the server certificate with private key.




  • No labels