TU Berlin

IT Service CenterGeneral Information

"das Wort tubIT in roter Schrift auf weißem Grund"

Page Content

to Navigation

Registration Authority (RA) of TUB-CA

The trustcenter of TU Berlin takes care of the tasks of a signed registration authority (RA) for TUB-CA and TUB e-mail CA. This especially includes the authentication for participants. (Currently no other RAs for TUB-CA are planned)

Certificates

Certificates for secured e-mails are not provided seperately since the introduction of the TU campus card since the keys and certficates stored on the card are employed.

From version 7 of MS IE and Version 3 of Mozialla Firefox the certificates of the registration authorities subordinant to TUB-CA are preinstalled so that our new certificates can be installed without callback. For the use with older or other browsers you can import the subordinated certificates using our public PKI Server by selecting the tab "CA-Zertifikate".

If your browser does not allow a TLS connection, you can download the certificates using an unsecured connection:
Root Certificate (CRT, 931,0 B)
DFN-PCA Certificate (CRT, 1,2 KB)
TUB-CA Certificate (CRT, 1,3 KB)
Certificate Chain (TXT, 5,1 KB) 

Search Certificates

For validation or encrypted communication, you require the certificate of the communication partner. The public PKI portal of TUB-CA allows you to look for published certificates of PKI participants by entering their name or e-mail address. Look for certificates nowhttps://pki.pca.dfn.de/tu-berlin-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=search_cert;id=1;menu_item=3&RA_ID=0

This service is only available for TLS/SSL Server Certificates issued by TUB-CA.

Backlists (CRLs) and Call-Back of Certificates of TUB-CA

If you need to issue a call-back for your certificate because it has been compromised or due to the loss of your private key, you can use the public PKI portal of TUB-CA. You require the call-back PIN for the call-back.

The public PKI portal also grants insight to the blacklists.

Instructions for Server Certificates

Step 1: Introduction

With a server certificate your server will be accredited by a trustworthy instance. This allows users to validate the authenticity of the server unambigously. The trustcenter of Technische Universität Berlin provides TLS certification of servers for all administrators of TU departments.

Step 2: Preparation

TLS certificates are issued by TUB-CA based on the certification policy of DFN and TUB. You can find both policies on the public PKI-Server of TUB using the menu option "Policies". Please read the policies carefully. The certification policies and requirements to the certificate user described there contain statements about the quality of the issued certificates.

Step 3: Creation of a Key Pair and Creation of a Certificate Signing Request (CSR)

You have to create a key pair for your server yourself. The key length has to be at least 2048 bit (RSA). The public key of the key pair will be submitted to TUB-CA for certification within a so-called signing request.

These rules apply for the choice of the complete server name (distinguished name, DN):

 

  • Certificates for www servers have to contain a distinct host name for the attribute "cn="
  • This attribute may not contain wildcards or numeric IP addresses
  • The optional attribute "email=" should contain a valid, function related e-mail address such as the server administrator's address.
  • For servers in the area of TUB-CA the name is:

c=DE,st=Berlin,l=Berlin,o=Technische Universitaet Berlin,
ou=<Institute/Department>,
cn=<complete computer name>,
email=<E-Mail-Address of Server-Admin>

For Windows servers we recommend using the wizard (Internet Service Manager) for the creation of the signing request.

 

Instructions for the request generation with OpenSSL (RRZN of Uni-Hannover)

Step 4: Requesting a New Certificate at TUB-CA

The public PKI server of TUB-CA provides all important features which are related to certification. Here you can submit your certificate signing request and submit your request file created in step 3.

Public PKI-Server

As second step sign the participation agreement printed out during request procedure and present it to registration authority of TUB-CA in person. Please bring an ID and an accreditation letter of your institute identifying you as server administrator with you.

Appointment via phone: 314-24383 or 314-24229
E-Mail:
Address: 
tubIT, Technische Universität Berlin
Einsteinufer 17
10587 Berlin

Step 5: Add the certificate and private key to your server

After the procession of your signing request TUB-CA will send a notification e-mail with your certificate as attachment. The file containing the certificate has to be installed in the run-time environment of your server.

For Windows Server we recommend using the wizard (administrative tools, internet service manager) for the installation of the certificate Iinstructions for OpenSSL (RRZN of Uni-Hannover)

Alternatively Uni Freiburg provides isntructions for the request creation using the Java keytool Instructions for Java Keytool (Uni Freiburg).

Certification Policies and Explanations about Signing Operations

A certification policy (CP) defines the rules which one or multiple certification authorities comply with. The certification authority of Technische Universität Berlin formulates its certification policy in a way that the „Zertifizierungsrichtlinie der Public Key Infrastruktur im Deutschen Forschungsnetz – Global, Classic, Basic“ (certification policy of public key instrastructure of German Research Network - global, classic, basic) is applied. 
A statement about the certification practice describes the methods which are employed to apply the terms of a certification policy. The certification authority of TU Berlin complies with the „Erklärung zum Zertifizierungsbetrieb der Public Key Infrastruktur im Deutschen Forschungsnetz – Global, Classic, Basic “.

The content of both documents is extended with own specifications by the „Erklärung zum Zertifizierungsbetrieb der TUB-CA in der DFN-PKI“ (statement about the certification practice of TUB-CA in DFN-PKI)

 

Certification Policy of DFN-PKI - Security Levels: Global, Classic, Basic -

Statement about the Certification Practive of the highest Certification Authority of DFN-PKI - Security Levels: Global, Classic, Basic

Statement about the Certification Practive of TUB-CA in DFN-PKI -
Security Level: Global

Request of a User/Server Certificate of Grid-CA of DFN-PKI

The trustcenter of TU also functions as a registration authority (RA) of Grid-CA within DFN-PKI. Grid certificates of DFN-PKI can be requested for:

 

  • TUB employees with provisioned tubIT account
  • Server in TU network

Please read the policies of DFN Grid-CA before requesting on their website.

Requesting user certificates: Go to the webseite of Grid-RA.
The web interface provided by DFN will help you creating a key pair and a participation document. You will have to complete and sign the form and present it together with your personal ID/passport/campus card at the registration authority in the trustcenter (E-N 007, ph. 24383). If everything is correct the Grid-RA will initiate the certification of your public key. The issued certificate will be sent to you via e-mail. The installation of the certficiate in the browser used to create the keychain is explained in the e-mail.
If you need the private key outside this browser too, please proceed as follows:

 

  • export the certificate including the private key into a file in #PKCS12 formate, e.g. "certkey.p12" - this can be done automatically depending on the export feature of the employed browser
  • extract the key with a suitable tool such as "openssl":
    openssl pkcs12 -in cert.p12 -nocerts -out key.pem
    Now the private key is available in the file key.pem

Request of server certificates: Go to the website of Grid-RA.
Now proceed as described in the instructions for server certificates.
Altering from these instructions choose the distinguished server name as follows:

  • C=DE
  • O=GridGermany
  • OU=Technische Universitaet Berlin
  • [OU=(Organisational Unit)]
  • CN=(full qualified server name)
  • EMail=(E-Mail address of the administrator)

Attributes in square brackets [..] are optional.
The completed and signed participation agreement has to be presented at registration authority together with a campus card/personal ID/passport (E-N 007, ph. 24383).
If everything is correct, Grid-CA will initiate the certification of your public key. The issued certificate will be sent to you via e-mail.
For the installation please follow the instructions provided in the e-mail.

Navigation

Quick Access

Schnellnavigation zur Seite über Nummerneingabe