#language en = Installation of Certificates = To provide secure connection (https, webdavs) to s15, its alias druck and the managament ports ms15, mb, ssl certificates must be installed. These can be obtained for free from Sectigo via TU Wien, see their [https://www.it.tuwien.ac.at/services/zutritt-login-und-identity/identity/ssl-zertifikate/zertifikate/ instructions]. Certificates are valid for one year. The new certificate will be immediately valid, for one year – renew it shortly before the old one expires. To renew a certificate, 1. First, create a certificate signing request (CSR), 1. fill out the form at the Sectigo [https://cert-manager.com/customer/ACOnet/idp/ssl/Jav5QQDMYw8fkCW99NCX/select client portal].[[BR]] (Perhaps, in future, tick "Auto Renew" and give a passphrase. Then, you could probably download re-newed certificates from the website.) 1. The new certificate will arrive one or two days later by e-mail. Install it. 1. Check the connection with `openssl s_client -connect s15.fluid.tuwien.ac.at:443 -status`, probably also `openssl s_client -connect druck.fluid.tuwien.ac.at:631`. '''1.''' On s15, issue the `openssl req` command below to create a csr. The command will ask a number of questions. {{{ cd /etc/ssl # if the certificate does not change, convert the old certificate into a csr, openssl x509 -x509toreq -in certs/s15.crt -out s15.csr -signkey private/s15.key # see man x509(1ssl) # Alternatively, create a new csr (see man req(1ssl)) openssl req -new -utf8 -out s15.csr -key private/s15.key # -new generate a new csr # -utf8 input field values as utf8 string # -out output filename # -key provide an exixting key; otherwise, use -newkey Country Name (2 letter code): AT State or Province Name (full name: Austria Locality Name (eg, city): Wien Organization Name (eg, company): Technische Universität Wien Organizational Unit Name (eg, section): Institut für Strömungsmechanik und Wärmeübertragung Common Name (e.g. server FQDN or YOUR name): s15.fluid.tuwien.ac.at Email Address: thomas.loimer@tuwien.ac.at # Check the generated request with openssl req -noout -text -in s15.csr # -text print the certificate in text form # -noout do not output the encoded form of the request # Look at the private key with openssl pkey -in private/s15.key -text -noout }}} '''2.''' Fill out the form at the Sectigo website. {{{ Request Multi-Domain SSL Certificate First Name: Thomas Last Name: Loimer Your Email Address: thomas.loimer@tuwien.ac.at Add your CSR; (browse to the file) Common Name: s15.fluid.tuwien.ac.at Other Hostnames(SANs) s15.fluid.tuwien.ac.at druck.fluid.tuwien.ac.at www.fluid.tuwien.ac.at Organization Unit: Institut für Strömungsmechanik und Wärmeübertragung (no) Auto-renew Organization: Technische Universität Wien }}} Click on `Enroll`. '''3.''' An e-mail ("Enrollment Successful - Your SSL certificate is ready" from `support@cert-manager.com`) containing information to download variations of the certificate is sent. Download ''Certificate only, PEM encoded'' and ''as Certificate (w/ issuer after), PEM encoded''. This e-mail contains also a renew id, I do not know how to use the renew id. Copy to /etc/ssl/certs/s15.crt. Also, take care that the symbolic links /etc/cups/ssl/s15.fluid.tuwien.ac.at.{crt,key} are not broken. Cups demands the key and certificate to be named as the server name.