You are located in service: Public Key Certificates

[only relevant for IT admins] Process Flow: My Email Domains RA Portal

[only relevant for IT admins] Process Flow: My Email Domains RA Portal


Email addresses that lie outside the email domain, have to be imported into the RA-Portal, before their users can apply for user certificates.

Only person belonging to the primary contact group for the respective domain, as listed in, can administer email addresses in the RA-Portal under the tab "Meine E-Mail-Domains".



Email address for which user certificates are to be issued via the RA-Portal:

  • must be entered in the RA-Portal by the respective network contact person for the domain;
  • must receive a challenge email;
  • the recipient of the challenge email must use the received URL in order to link their user ID with their email address in the RA-Portal;
  • after that, the user can request a certificate for the confirmed email address in the RA portal under "Meine Client-Zertifikate".

The network contact person (NAP) can manage the list of allowed email addresses with respect to:

  • each table row must contain an primary (sender) email address, other fields include display name (admin-friendly-name), alias email addresses, personal/functional mailbox type
  • the sender email address (primary) can not be edited
  • the sender email address (and thus the whole line) may be deleted, as long as no challenge emails have been sent
  • include only those alias email addresses, that should/can also send e-mails
  • a challenge email can only be confirmed once
  • one challenge email is sent per email address of a table row
  • challenge emails can be triggered as often as you like per row, the next challenge invalidates the previous one
  • editing the alias email addresses invalidates pending challenges
  • a table row can be deactivated (e.g. user retired, mailbox inactive)
  • if a row is "not active", the network contact person can revoke any valid certificate(s)
  • the network contact person should revoke the certificates of a user who has left their organisation, otherwise the certificate can still be used, to e.g. sign documents
  • if a row is "not active", the user can not apply for further certificates for this email address(es).
  • just reactivating a row does not have to be accompanied by new challenge e-mails, but it may be.
  • the table can be edited manually (i.e. one row at a time) or by uploading a CSV file.

Email recycling is not good practise in the PKI world. But if you must do it, proceed as follows:

  • disable the relevant row
  • revoke any valid certificates
  • edit the row with the new display name
  • activate the row
  • send new challenge emails
  • new user ID will be linked with the old (recycled) email address

What to do if the user's Givenname or Surname changes:

  • If the sender email address of the user has changed
    • deactivate the old row
    • revoke any user certificates
    • create new row, with the new sender e-mail address
    • send your challenges
    • old user ID is linked to the new email address
  • if the sender email address has not changed
    • deactivate relevant row
    • revoke any user certificates
    • edit Admin-Friendly-Name (has no effect on CN, as it comes from IdM)
    • reactivate row
    • old user ID remains linked to email address, you don't need to send new challenges, unless you have edited the aliases
Dealing with functional mailboxes

In the CSV file

  • set the mailbox type to "functional"
  • the column "Last Name" will be the Admin-Friendly-Name in your table, leave "First Name" empty
  • the column "Applicant E-Mail" is the certificate applicant, should be a real person, and will receive the challenge email for the functional address

Since 1.9.2023 user certificates for functional email addresses only contain the functional email address in the Subject an do not contain a Common Name anymore.

Confirming the challenge email links the user ID of the applicant with the functional email address in the RA-Portal. This person will then also see the corresponding functional email address under "Meine Client-Zertifikate" and can apply for certificates for it.

If you want to change which person may apply for the user certificate for a given functional email address (i.e. the applicant email), proceed as follows:

  • deactivate the row
  • edit the "Applicant E-Mail"
  • revoke the certificate if necessary
  • activate the row
  • send a new challenge email
  • the new applicant links their user ID with the functional email address in the RA-Portal
  • all previously issued certificates remain linked (i.e. can be seen) by the previous applicant only


Relevant instructions:

last changed on 10/26/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License