to Homepage
You are located in service Public Key Certificates
General information
IT Center Help

You are located in service: Public Key Certificates

[only relevant for IT admins] Process Flow: My Email Domains RA-Portal
Print page

[only relevant for IT admins] Process Flow: My Email Domains RA-Portal

Information

This page provides an overview of the features available in the section Meine E-Mail-Domains (my email domains).

To view this section and specific email domains, you must be a member of the primary contact group for that domain (network contact).

Activate email addresses for users

To allow users to request user certificates via the RA-Portal, the following steps are required:

  • Email addresses must be entered into the RA-Portal by the network administrator (manually or via CSV import).
  • A challenge email must be sent from the RA-Portal for each email address.

The user associated with the challenge email address must confirm the challenge email to link their username to the email address in the RA-Portal. Users can then apply for a user certificate.

Manage the domain’s email address

The network contact person (NAP) can manage the list of allowed email addresses with respect to:

  • each table row must contain an primary (sender) email address, other fields include display name (admin-friendly-name), alias email addresses (a maximum of 2), personal/functional mailbox type
  • the sender email address (primary) can not be edited
  • the sender email address (and thus the whole line) may be deleted, as long as no challenge emails have been sent
  • include only those alias email addresses (a maximum of 2), that should/can also send emails
  • a challenge email can only be confirmed once
  • one challenge email is sent per email address of each table row
  • challenge emails can be triggered as often as you like per row, the next challenge invalidates the previous one
  • editing the alias email addresses invalidates pending challenges for the row
  • a table row can be deactivated (e.g. user retired, mailbox inactive)
  • if a row is "not active", the network contact person can revoke any valid certificate(s)
  • the network contact person should revoke the certificates of a user who has left their organisation, otherwise the certificate can still be used, to e.g. sign documents
  • if a row is "not active", the user can not apply for further certificates for this email address(es).
  • just reactivating a row does not have to be accompanied by new challenge e-mails, but it may be.
  • the table can be edited manually (i.e. one row at a time) or by uploading a CSV file.

By using the available API following tasks can be automated:

  • list, create, update email addresses
  • send challenge emails
  • revoke a client certificate

Reuse an email address

We strongly advise against reusing an email address. If you , please follow these steps:

  • disable the relevant row
  • revoke any valid certificates
  • edit the row with the new display name
  • activate the row
  • send new challenge emails
  • new user ID will be linked with the old (recycled) email address

Name change

If a user changes their name, you have the following options:

  • If the sender email address of the user has changed
    • deactivate the old row
    • revoke any user certificates
    • create a new row, with the new sender e-mail address
    • send your challenges
    • old user ID is linked to the new email address
  • if the sender email address has not changed
    • deactivate relevant row
    • revoke any user certificates
    • edit Admin-Friendly-Name (has no effect on CN in user certificate, as this comes from IdM)
    • reactivate row
    • old user ID remains linked to email address, you don't need to send new challenges, unless you have edited the aliases

Functional email addresses

Since 1.9.2023 user certificates for functional email addresses only contain the functional email address in the Subject an do not contain a Common Name anymore.

To enable the request of a certificate for a functional email address, that address must be linked to a person. For this purpose, a challenge email is sent to the email address of the designated person. That person then acts as the applicant and can see the functional email address under Meine Client-Zertfikate (my client certificates).

The applicant’s email address can be entered in the CSV file:

  • set the mailbox type to "functional"
  • the column "Last Name" will be the Admin-Friendly-Name in your table, leave "First Name" empty
  • the column "Applicant E-Mail" is the certificate applicant, should be a real person, and will receive the challenge email for the functional address

If you want to change which person may apply for the user certificate for a given functional email address (i.e. the applicant email), proceed as follows:

  • deactivate the row
  • edit the "Applicant E-Mail"
  • revoke the certificate if necessary
  • activate the row
  • send a new challenge email
  • the new applicant links their user ID with the functional email address in RA-Portal
  • all previously issued certificates remain linked (i.e. can be seen) to the previous applicant only

Additional information:

Relevant instructions:

last changed on 03/31/2026

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License
Chat