• Institute of Fluid Mechanics and Heat Transfer

Search:

Installation of Certificates

To provide secure connection (https, webdavs) to s15, its alias druck and the managament ports ms15, mb, ssl certificates must be installed. These can be obtained for free from Sectigo via TU Wien, see their instructions.

Certificates are valid for one year. The new certificate will be immediately valid, for one year – renew it shortly before the old one expires. To renew a certificate,

1. First, create a certificate signing request (CSR),

2. fill out the form at the Sectigo client portal.
   (Perhaps, in future, tick "Auto Renew" and give a passphrase. Then, you could probably download re-newed certificates from the website.)

3. The new certificate will arrive one or two days later by e-mail. Install it.

4. Check the connection with openssl s_client -connect s15.fluid.tuwien.ac.at:443 -status, probably also openssl s_client -connect druck.fluid.tuwien.ac.at:631.

1. On s15, issue the openssl req command below to create a csr. The command will ask a number of questions.

cd /etc/ssl
# if the certificate does not change, convert the old certificate into a csr,
openssl x509 -x509toreq -in certs/s15.crt  -out s15.csr -signkey private/s15.key
# see man x509(1ssl)
# Alternatively, create a new csr (see man req(1ssl))
openssl req -new -utf8 -out s15.csr -key private/s15.key
# -new  generate a new csr
# -utf8 input field values as utf8 string
# -out  output filename
# -key  provide an exixting key; otherwise, use -newkey
Country Name (2 letter code): AT
State or Province Name (full name: Austria
Locality Name (eg, city): Wien
Organization Name (eg, company): Technische Universität Wien
Organizational Unit Name (eg, section): Institut für Strömungsmechanik und Wärmeübertragung
Common Name (e.g. server FQDN or YOUR name): s15.fluid.tuwien.ac.at
Email Address: thomas.loimer@tuwien.ac.at

# Check the generated request with
openssl req -noout -text -in s15.csr
# -text         print the certificate in text form
# -noout        do not output the encoded form  of the request

# Look at the private key with
openssl pkey -in private/s15.key -text -noout

2. Fill out the form at the Sectigo website.

Request Multi-Domain SSL Certificate
First Name: Thomas
Last Name: Loimer
Your Email Address: thomas.loimer@tuwien.ac.at
Add your CSR; (browse to the file)
Common Name: s15.fluid.tuwien.ac.at
Other Hostnames(SANs)
s15.fluid.tuwien.ac.at
druck.fluid.tuwien.ac.at
www.fluid.tuwien.ac.at
Organization Unit: Institut für Strömungsmechanik und Wärmeübertragung
(no) Auto-renew
Organization: Technische Universität Wien

Click on Enroll.

3. An e-mail ("Enrollment Successful - Your SSL certificate is ready" from support@cert-manager.com) containing information to download variations of the certificate is sent. Download Certificate only, PEM encoded and as Certificate (w/ issuer after), PEM encoded. This e-mail contains also a renew id, I do not know how to use the renew id. Copy to /etc/ssl/certs/s15.crt. Also, take care that the symbolic links /etc/cups/ssl/s15.fluid.tuwien.ac.at.{crt,key} are not broken. Cups demands the key and certificate to be named as the server name.