TCS ServerCert

Usage
With this script, you can generate a certificate request that you can submit manually to Terena TCS service. It's possible to include multiple SubjectAltName -s in the request, such as  and.

This script creates the following files in your current working directory:
 * (private key)
 * (certificate request)

Apache config
This is how you can instruct Apache to use the new cert SSLCertificateFile /path/to/your/pki/hostname.you.provided.first.crt SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt

Self-signed
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).

Instead, you should generate a self-signed certificate with the following commands (please adjust the subject): export host=your.host.name openssl req -new -newkey rsa:2048 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \ -keyout $host-fed.key -out $host-fed.csr openssl x509 -in $host-fed.csr -out $host-fed.crt -req -signkey $host-fed.key