Request for a server certificate

If you are the responsible administrator of a server in the area supplied by the WWUCA, then you may request a server certificate and so allow the users of your server to establish secure connections to the server.

Considered to be responsible administrators are the “Leitend Verantwortlicher” and the “Technisch Verantwortlicher” of a server according the the central computer data base of the university resp. the relevant NIC data base. Requests by third persons are accepted only with their consent.

Preparing the request

First you have to create a key pair and a certification request file in PKCS#10 format. Please regard the manuals of your server software.

If your software offers own tools to create key pair and certification request, please use them.

If you are supposed to create key pair and certification request yourself with the OpenSSL software you may the command below. The private key will be saved unencrypted in xxx-key.pem and the certification request in the required PKCS#10 format in xxx-req.pem:

(Of course you should replace xxx with a reasonable name.)

openssl req -new -newkey rsa:2048 -out xxx-req.pem -keyout xxx-key.pem

The private key is saved password-encrypted. If you do not want it, add the option -nodes. But with the following command you can also create an unencrypted file later:

openssl rsa -in xxx-key.pem -nodes -out xxx-key-unsafe.pem

If you are supposed to create key pair and certification request with the Java keytool, you can use the two commands below. The private key will be saved in the Java key store and the certification request in the required PKCS#10 format in xxx-req.pem:

Keytool -genkey -alias xxx -keyalg RSA -keysize 2048
Keytool -certreq -keyalg RSA -keysize 2048 -alias xxx -file xxx-req.pem

In all cases you are asked for further information.

Please ensure that the key length is at least 2048 bits and that the name complies to the stringent requirements of the certification policies:

  • The attribute “C” (for Country) must contain the value “DE” exactly.

  • The attribute “ST” (for State) must contain the value “Nordrhein-Westfalen” exactly.

  • The attribute “L” (for Location) must contain the value “Muenster” exactly.

  • The attribute “O” (for Organization) must contain exactly one of the following values:
    Westfaelische Wilhelms-Universitaet Muenster
    Universitaetsklinikum Muenster
    Kunstakademie Muenster - Hochschule fuer Bildende Kuenste

  • The attribute “OU” (for Organizational Unit) may be omitted for central systems only. Otherwise it must be given and indicate the organizational unit. Do not use abbreviations unintelligible to third parties like “THK”, but correct names like “Klinik und Poliklinik fuer Thorax-, Herz- und Gefaesschirurgie”. Umlauts are to be written as ae/oe/ue/ss and only permitted punctuation marks are “'()+,-./:=?”. Avoid abbreviations. In case of overlong names (more than 64 characters) clearly comprehensible abbreviations may be used.

  • The attribute “CN” (for Common Name) must contain the fully qualified domain name (FQDN) using lowercase letters.

For example, a valid name would be:

C=DE
ST=Nordrhein-Westfalen
L=Muenster
O=Westfaelische Wilhelms-Universitaet Muenster
OU=Universitaets- und Landesbibliothek
CN=www.ulb.uni-muenster.de

Submitting the request

To submit the certification request (not the private key!) to the WWUCA, please go on ca.wwu.de to the WWW pages of our certification server. There, under “Zertifikate”, go to “Serverzertifikat”.

On that page please upload the certification request file, select the required certificate profile (Zertifikatprofil) and fill the other input fields.

If the certificate is only needed to allow client computers to establish secure connections to the server ( (no matter whether HTTPS, IMAPS, SMTP with StartTLS etc.), the preselected certificate profile “Web-Server” can be used. If you need another profile please regard the description of the certification profiles in the DFN-PKI (text in German) or ask the WWUCA for advice.

On the next page review and confirm all data. Thereafter you have to print an application form, to sign it, and to hand in personally to a participant service staff member, proving your identity by showing your passport or identity card.