Service description

Certficates can be used to verify the identity of the owner, and eventually other properties (e.g. Email or organisation), of a public key (refer to public key cryptography).

The used cryptohraphic keys can be used to generate electronic signatures and/or to establish encrypted communication channels.

Electronic signatures can offer:

  • authentication - linking the originator to the information
  • integrity - allowing any changes to the information provided to be detected more easily
  • non-repudiation - ensuring satisfaction (in a legal sense) about where the electronic signature has come from

The Certificate Authority "RWTH CA" is a Sub-CA in the DFN-PKI (Public Key Infrastructure). We adhere to the DFN-PKI Certificate Policy. The certificate applicant must be associated to the RWTH Aachen University.

The implemented certificate chain ends at a built-in Token from Deutsche Telekom, which is anchored within standard browsers, thus enabling the automated validation of the certificates issued.

The new RWTH-DFN certification portal provides an easy way to apply for X.509 user and server certificates.

As the root certificate is not installed in the cert store of older operating systems (Android <= 4.4) problems when validating the chain will occur.


Electronic signatures generated with cryptographic keys associated with our certificates have the status "advanced electronic signature", according to the German Signature Act.



A seperate Certificate Authority, the "RWTH Grid CA", issues X.509 certificates for grid computing, apply at DFN-Grid-certificates.

In this case the DFN-PKI-Grid-Policy applies.





Das DFN-PKi Team wird (mit Blick auf die Veröffentlichung von Firefox Version 69) voraussichtlich zum September eine neue Antragsseite für Nutzerzertifikate bereitstellen, die das JavaScript WebCrypto-API von modernen Browsern verwendet. Die URL zu der entsprechenden Antragsseite wird sich nicht ändern, ist weiterhin die hier verlinkte.

Die neuen Antragsseiten werden zunächst den Nutzern angeboten, deren Browser das KEYGEN-Tag (die traditionelle Methode der Schlüsselerzeugung im Browser für Nutzerzertifikate) nicht mehr unterstützen.

Mit dem Wegfall des KEYGEN-Tags muss nach dem Abholen des ausgestellten Zertifikats im Browser immer eine .p12-Datei erstellt werden