- Created by Kisic Mirel (4ea), last updated by Sichler Wolfgang (ID) on May 30, 2022 5 minute read
Support
Please contact us via SmartDesk, Email servicedesk@id.ethz.ch or by phone +41 44 632 77 77
Service Information and Update
Blog eintrag
Create a CSR (Certificate Signing Request)
Warning!
To obtain a TLS/SSL certificate, a so-called csr file must be created first.
On Windows systems this can be done as follows: First, an inf file must be created. The following content can be used as a template for this: [NewRequest] Subject = "CN=DemoServer.ethz.ch,O=ETH Zurich,C=CH" KeyLength = 2048 KeySpec = 1 Exportable = False ProviderName = "Microsoft Software Key Storage Provider" HashAlgorithm = SHA256 MachineKeySet = True SMIME = False UseExistingKeySet = False RequestType = PKCS10 KeyUsage = 0xA0 Silent = True [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=Demo.ethz.ch&" _continue_ = "dns=AuchDemo.ethz.ch&" Customize server name Please replace the server names in the above example with your own information. Target server If the csr file is not created on the system where the certificate is to be used later, the "Exportable" parameter must be set to "True", since it will be necessary to install the certificate first on the Windows system on which the csr file and thus the private key were created. With "certreq -new Demo.inf Demo.csr" the csr-file is created. |
Obtain TLS/SSL certificate
| |
There are three profiles to choose from. The names are completed by the support group.
Upload the CSR via "Choose File". | |
| |
| |
|
Installation TLS/SSL-Zertifikat
| |
| |
| |
| |
If the certificate is used on another server, then the certificate including the private key must be exported. Call the certificate management with certlm.msc. Export the server certificate with private key. |
Renew TLS/SSL-Zertifikat
| |
| |
Warning! Due to the migration from QuoVadis to DigiCert, it is not longer possible to request or renew a certificate from QuoVadis. The renew-button is greyed out. Instead you have to order a new certificate from DigiCert. (Profil starts with DC WebServer) To cancel renewal notifications you can revoke the old certificate after installing the new certificate | |
It is not possible to order a so-called soft token via our PKI, but the button cannot be hidden. If you press this button, you will receive an error message that you are not authorized. | |
Warning! The difference between renewing a certificate and obtaining a new certificate is that when renewing, the status "Replaced" is entered for the expiring certificate in the database and that from this point no more reminder emails are sent regarding the expiring certificate. |
- No labels
1 Comment
Bolliger Christian (ID)
Oct 25, 2022Hi
it would be good to have instructions for Nginx and Apache. Those are the most widely used webservers.