Service description

Certficates can be used to verify the identity of the owner, and eventually other properties (e.g. Email or organisation), of a public key (refer to public key cryptography).

The used cryptohraphic keys can be used to generate electronic signatures and/or to establish encrypted communication channels.

Electronic signatures can offer:

  • authentication - linking the originator to the information
  • integrity - allowing any changes to the information provided to be detected more easily
  • non-repudiation - ensuring satisfaction (in a legal sense) about where the electronic signature has come from

The Certificate Authority "RWTH CA" is a Sub-CA in the DFN-PKI (Public Key Infrastructure). We adhere to the DFN-PKI Certificate Policy. The certificate applicant must be associated to the RWTH Aachen University.

The implemented certificate chain ends at a built-in Token from Deutsche Telekom, which is anchored within standard browsers, thus enabling the automated validation of the certificates issued.

The new RWTH-DFN certification portal provides an easy way to apply for X.509 user and server certificates.

As the root certificate is not installed in the cert store of older operating systems (Android <= 4.4) problems when validating the chain will occur.


Electronic signatures generated with cryptographic keys associated with our certificates have the status "advanced electronic signature", according to the German Signature Act.



A seperate Certificate Authority, the "RWTH Grid CA", issues X.509 certificates for grid computing, apply at DFN-Grid-certificates.

In this case the DFN-PKI-Grid-Policy applies.





Das bereits abgekündigte SHA1 Zertifikat der RWTH-CA ist heute (Feb 13 00:00:00 2019 GMT) abgelaufen.

Sofern dies bei einem Client (wie z.B. E-Mail Programm) oder Server noch verwendet wurde, sollte zum einen eine Fehlermeldung eingeblendet werden und zum anderen das alte (nun abgelaufene und bereits abgekündigte) Zertifikat durch folgendes ersetzt werden


Je nach verwendetem Client oder Server müssen individuelle Schritte unternommen werden, die wir aufgrund der großen Anzahl an Möglichkeiten hier nicht en detail erläutern können.