You are here: Home News & Alerts News New application procedure for …

New application procedure for server certificates

The DFN-Association announced some time ago that the management of certificates will change from 2023. TCS (Trusted Certificate Service) will in future be a PKI offering that the DFN-Verein will procure via GÉANT. GÉANT implements the service with the help of external providers who are found through regular tenders. The current provider is the company Sectigo. An overview of GÉANT's service can be found at: https://security.geant.org/trusted-certificate-services/ DFN-Verein is currently introducing the service for all DFN-PKI participants. TCS will replace the previous DFN-PKI "Global" in the medium term. User certificates will be applied for via DFN until mid-2023 as before, server certificates can only be applied for via Sectigo as of 1 January 2023. The RZ website on the subject of certificates will be fundamentally revised when all certificate types have been switched to Sectigo. Translated with www.DeepL.com/Translator (free version)

The "in-house" conversion of the certificates for the web server and the content management system has now largely been completed. Automation via ACME has been set up here.

Individual certificates are now obtained for individual subdomains. Delegation can take place for certain areas, so that corresponding admins can issue certificates completely independently in subareas (subdomains, as has already been done for TF/Informatics, for example). These admins receive ACME credentials (eab-keyid, eab-password - External Account Binding (eab). The domains are assigned via Domain Validation (in the course of the ACME conversion of the web servers, everything under uni-freiburg.de is already "authenticated"). It is still possible to generate individual server certificates. This can be done with an employee account and is explained on the RZ-Homepage 

External domains must go through the Domain Control Validation (DCV) procedure, whereby a re-validation must then take place via email or CNAME entry (annually). For the emails, there is a restriction to the addresses permitted: hostmaster@ postmaster@ administrator@ webmaster@. Another possibility is the validation via HTTP / HTTPS. Here, a file specified by Sectigo must be stored under a certain URL.

Server certificates are becoming important not only for the web servers but also for other services that rely on TLS. The considerations for the procedure here are subject to the planned developments for improving IT security on campus. Even though the University of Freiburg has so far been spared the type of recent attacks on university types of all kinds, this topic needs significantly more attention and prevention. Both the computer centre will take a number of measures and activities on campus in cooperation with information security will be necessary. The successful ISO 27001 certification, which is due for renewal in the third quarter, is a good guideline for structuring these measures. It is important to note that IT security does not only consider the protection of data but also the availability of services.

The goal is to more clearly compartmentalise the campus network through network segmentation and the establishment of a DMZ. Future services for external use can only be provided in the DMZ. Server certificates also for internal use between machines on campus can be created by the responsible server administrators themselves by applying for the use of ACME. A written confirmation for the certificate order is no longer necessary.

For the time being, the data centre continues to document the handling of individual server certificates on its Homepage. In general, however, one should choose the path of automation in order not to be regularly surprised by expiring certificates. Instructions on how this can be done with the help of so-called "ACME clients" can be found in our Wiki:

https://www.wiki.uni-freiburg.de/rz/doku.php?id=zertifikate_installieren_mit_acme-clients 

as well as in the  Admin-Forum.