1.8 KiB
1.8 KiB
Managing SSL certificates
We use DigiCert certificates.
Requesting certificates
First create a certificate signing request (CSR) like this, replacing $FQDN
and $ALIASES
cat >$FQDN.cnf <<EOF
FQDN = $FQDN
ORGNAME = Paul Scherrer Institut (PSI)
# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:\$FQDN $ALIASES
# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = CH
O = \$ORGNAME
CN = \$FQDN
OU = AWI
[ req_ext ]
subjectAltName = \$ALTNAMES
EOF
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
Finally, submit the CSR. Please note that the URL will work when accessed from PSI network (e.g. VPN).
DigiCert will send an email including instructions on how to download the certificate.
Our teams practice is to always create a new private key and to back it up encrypted in Gitlab, either
- in Hiera as EYAML
- for central infrastructure hosts in their bootstrap repository
- for the rest in our team secret store
Renewing certificates
Using the same configuration file as above, generate a new private key and CSR, and submit the CSR as before.
Revoke certificates
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch