Service description


Certficates can be used to verify the identity of the owner, and eventually other properties (e.g. Email or organisation), of a public key (refer to public key cryptography).

The used cryptohraphic keys can be used to generate electronic signatures and/or to establish encrypted communication channels.

Electronic signatures can offer:

  • authentication - linking the originator to the information
  • integrity - allowing any changes to the information provided to be detected more easily
  • non-repudiation - ensuring satisfaction (in a legal sense) about where the electronic signature has come from

The Certificate Authority "RWTH CA" is a Sub-CA in the DFN-PKI (Public Key Infrastructure). We adhere to the DFN-PKI Certificate Policy. The certificate applicant must be associated to the RWTH Aachen University.

The implemented certificate chain ends at a built-in Token from Deutsche Telekom, which is anchored within standard browsers, thus enabling the automated validation of the certificates issued.

The new RWTH-DFN certification portal provides an easy way to apply for X.509 user and server certificates.

As the root certificate is not installed in the cert store of older operating systems (Android <= 4.4) problems when validating the chain will occur.

 

Electronic signatures generated with cryptographic keys associated with our certificates have the status "advanced electronic signature", according to the German Signature Act.

 

 

A seperate Certificate Authority, the "RWTH Grid CA", issues X.509 certificates for grid computing, apply at DFN-Grid-certificates.

In this case the DFN-PKI-Grid-Policy applies.

 

 

 

News


Due to the closure of the IT-ServiceDesk locations for personal customer contact (Seffenter Weg 23, Wendlingweg 10 and SuperC), the acceptance and processing of certificate applications will be limited until further notice.

The following requirements must be met:

  • the person making the request uses a user certificate issued for them by the DFN-PKI
  • the applicant can send a signed e-mail from their personal mailbox (e-mails from functional mailboxes will be rejected)

Background information:

  • we need to be able to identify an eligible person (individual) as the applicant. Since DFN-PKI user certificates are issued following Individual Validation, we can use the sender's cryptographic signature on the e-mail, together with their DFN-PKI certificate to identify the applicant as a person (individual). This is why we can't accept signed e-mails from functional mailboxes.
  • as you are required to sign your certificate request by hand (actually your compliance to the certificate policies of the DFN-PKI), we recommend that you also encrypt the above mentioned e-mail.

 

The following arrangements apply:

1. User Certificates:

  • You already have a still valid user certificate and you need a new one issued:
    Print out the "participant's declaration of compliance to the DFN-PKI certificate policy", sign it by hand, scan it and send it per electronically signed e-mail to ra@rwth-aachen.de
    Note: This e-mail must be sent from the e-mail address for which the certificate is to be issued.
  • You have no valid user certificate:
    Please contact the registration authority via E-Mail to ra@rwth-aachen.de.

2. Group Certificates - new application or renewal

Print out the "participant's declaration of compliance to the DFN-PKI certificate policy", sign it by hand, scan it and send it per electronically signed e-mail to ra@rwth-aachen.de
Note: This e-mail must be sent from the applicants personal e-mail address, not from the functional or group mailbox for which the certificate is needed.

3. Server Certificates - new application and renewal:

Print out the "participant's declaration of compliance to the DFN-PKI certificate policy", sign it by hand, scan it and send it per electronically signed e-mail to ra@rwth-aachen.de
Note: This e-mail must be sent from the applicants personal e-mail address, not from any functional or group contact e-mail.

 

Note: please make sure that you scan the "declaration of compliance" with sufficient resolution, so that your handwritten signature is discernible to the naked human eye.

Hereyou can download the certificate for ra@rwth-aachen.de, in order to be able to send your encrypted e-mail without prior handshake.