1.8 KiB
1.8 KiB
HTTPS Certificates
We use DigiCert certificates.
Request a Certificate
First create a certificate signing request (CSR) like this, replacing the values for FQDN
and ALIASES
ALIASES=xyz.psi.ch
FQDN=xyz00.psi.ch
cat >$FQDN.cnf <<EOF
FQDN = $FQDN
ORGNAME = Paul Scherrer Institut (PSI)
# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:\$FQDN $ALIASES
# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = CH
O = \$ORGNAME
CN = \$FQDN
OU = AWI
[ req_ext ]
subjectAltName = \$ALTNAMES
EOF
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
Finally, submit the CSR. Please note that the URL will work when accessed from PSI network (e.g. VPN).
DigiCert will send an email including instructions on how to download the certificate.
Our teams practice is to always create a new private key and to back it up encrypted in Gitlab, either
- in Hiera as EYAML
- for central infrastructure hosts GPG encrypted in their bootstrap repository
- for the rest in our team secret store
Renew Certificate
Using the same configuration file as above, generate a new private key and CSR, and submit the CSR as before.
Revoke Certificate
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch