1. Generate key pair and create certificate request file

First you have to create a key pair and a certification request file in PKCS#10 format. Please regard the manuals of your server software.

  • If your software offers own tools to create key pair and certification request, please use them.

  • If you are supposed to create key pair and certification request yourself with the OpenSSL software please regard our guide about using OpenSSL.

    In this case, please see also our special instructions on how to obtain server certificates fully automatically or at least to request a certificate using a PHP script that generates a new key pair, submits the request file and downloads the application form in one step.

    We have put together some more information on using OpenSSL here.

  • If you are supposed to create key pair and certification request with the Java keytool please regard our notes about using Java Keytool.

In all cases you are asked for further information.

Please ensure that the key length is at least 2048 bits and that the name complies to the stringent requirements of the certification policies:

  • The attribute “C” (for Country) must contain the value “DE” exactly.

  • The attribute “ST” (for State) must contain the value “Nordrhein-Westfalen” exactly.

  • The attribute “L” (for Location) must contain the value “Muenster” exactly.

  • The attribute “O” (for Organization) must contain exactly one of the following values:
    Westfälische Wilhelms-Universität Münster
    Kunstakademie Münster - Hochschule fuer Bildende Künste

  • The attribute “OU” (for Organizational Unit) must be omitted.

  • The attribute “CN” (for Common Name) must contain the fully qualified domain name (FQDN) using lowercase letters.

For example, a valid name would be:

O=Westfaelische Wilhelms-Universitaet Muenster

2. Submit certificate request

This guide demonstrates the process using Mozilla Firefox. Many other browsers work just as well. (But we hear conspicuously often that users have problems when uploading files with Apple Safari.)

The certification server can be found at the short address “ca.wwu.de”:

Perhaps a page is displayed where you have to select the certification server applicable to you (not shown here).

The full address begins with “https://pki.pca.dfn.de/dfn-ca-global-g2/”. That page is available in German only. Please click on „Serverzertifikat“ (server certificate).

On the page displayed then frist select the certificate request file xxx.req created above:

The preselected „Zertifikatprofil“ (certificate profile) “Web Server” is suitable not only for WWW servers but for all server types that use the certificate only for accepting incoming SSL/TLS/StartTLS connections, e.g. HTTPS, IMAPS, POP3S etc.

For server types also establishing SSL/TLS connections to other servers like SMTP transport servers, the certificate profile “Mail Server” is suitable.

Special servers may need special profiles. If in doubt, please ask the CA.

(Despite the header „Serverzertifikat“ you can also request any kind of person certificates here. To do so, please select the certificate profile “User”.)

Please also enter your contact data:

On the page displayed then enter your personal data. Here some translations:
Vollständiger Name = Full name
Organisationseinheit = Organizational unit
Zentrale Nutzerkennung (...) = Central username
Telefon = Telephone
Ich verpflichte mich ... = I commit myself to obey the rules in the information for certificate holders
Ich stimme der Veröffentlichung ... = I agree that the certificate with my name and my email address is published.

The PIN to be chosen will be needed later when online requesting the certificate to be revoked prematurely (but you can always contact the CA instead).

Committing to the regulations in the information for certificate holders is a mandantory requirement for a certificate to be issued.

With „Weiter“ (continue) you get on the next page. Here you check all data, then click on „Bestätigen“ (confirm):

Please click on „Zertifikatantrag anzeigen“ (show certification request) to download the complete request form containing your data and this fingerprint as a PDF file.

The PDF viewer built into newer Firefox versions is good enough for this PDF file:

In the PDF file you will see your request number and the fingerprint of the public key.

Print this PDF file, sign it, and deliver the request in person to a CA participant service staff member, showing your ID card or passport:

On the map you can look up what staff members are located near you. The exact contact data can be found below:

Alternatively, you could send the PDF file by digitally signed email requesting the certificate to be issued to ca@uni-muenster.de. (For this you need a personal digital ID.) However, this causes additional work for the CA staff.

3. Pick up the certificates

The server certificate is sent to you by email.

The intermediate CA certificates can be found either following the corresponding link in the email or simplier on the page CA Certificates in the table column “X.509 chain”. Usually you need the file “Text (without root)”.

The further procedure depends on your server software: You can merge the PEM files with a simple text editor into one file or split them into several files. You can also assemble the PEM files into a digital ID (PKCS#12 file) or save them in different formats.