New application procedure for server certificates
The "in-house" conversion of the certificates for the web server and the content management system has now largely been completed. Automation via ACME has been set up here.
Individual certificates are now obtained for individual subdomains. Delegation can take place for certain areas, so that corresponding admins can issue certificates completely independently in subareas (subdomains, as has already been done for TF/Informatics, for example). These admins receive ACME credentials (eab-keyid, eab-password - External Account Binding (eab). The domains are assigned via Domain Validation (in the course of the ACME conversion of the web servers, everything under uni-freiburg.de is already "authenticated"). It is still possible to generate individual server certificates. This can be done with an employee account and is explained on the RZ-Homepage
External domains must go through the Domain Control Validation (DCV) procedure, whereby a re-validation must then take place via email or CNAME entry (annually). For the emails, there is a restriction to the addresses permitted: hostmaster@ postmaster@ administrator@ webmaster@. Another possibility is the validation via HTTP / HTTPS. Here, a file specified by Sectigo must be stored under a certain URL.
Server certificates are becoming important not only for the web servers but also for other services that rely on TLS. The considerations for the procedure here are subject to the planned developments for improving IT security on campus. Even though the University of Freiburg has so far been spared the type of recent attacks on university types of all kinds, this topic needs significantly more attention and prevention. Both the computer centre will take a number of measures and activities on campus in cooperation with information security will be necessary. The successful ISO 27001 certification, which is due for renewal in the third quarter, is a good guideline for structuring these measures. It is important to note that IT security does not only consider the protection of data but also the availability of services.
The goal is to more clearly compartmentalise the campus network through network segmentation and the establishment of a DMZ. Future services for external use can only be provided in the DMZ. Server certificates also for internal use between machines on campus can be created by the responsible server administrators themselves by applying for the use of ACME. A written confirmation for the certificate order is no longer necessary.
For the time being, the data centre continues to document the handling of individual server certificates on its Homepage. In general, however, one should choose the path of automation in order not to be regularly surprised by expiring certificates. Instructions on how this can be done with the help of so-called "ACME clients" can be found in our Wiki:
https://www.wiki.uni-freiburg.de/rz/doku.php?id=zertifikate_installieren_mit_acme-clients
as well as in the Admin-Forum.