Three passwords are to be assigned during the certificate creation process:

• for the certificate revocation (revocation-PIN)
• for the .json file (json-password)
• for the backup of the .p12 file (p12-password)

Be sure to remember these.

Certificate profile: Select the appropriate profile.

Use the "Browse" button do select your CSR file.

Your Data:

Full name: Your full name as shown in your official ID document.

Email: Preferably a functional e-mail address, to which you and your standby have access. Here you receive all e-mail communication pertinent to your certificate application.

Department: Complete name of your RWTH institution (e.g.: IT Center, Chair of Computer Science 12).

Revocation PIN: The PIN is required to revoke the received certificate if necessary. Please keep this PIN in a safe place.

Personal note:

This note is saved in the .json file.

You have to abide by the DFN-PKI regulations.

You have to agree to the publication of the issued certificate (Certificate Transparency).

You must agree to the processing of your personal data.

Check that your data is correct and subsequently select "Save application data file".

This step creates a .json file with only the public RSA keys and any information pertaining to the applicant. This file is an artefact of the process to submit a server certificate application and have the browser generate all RSA-keys.

The .json file is stored in an encrypted form. You must set a password for this encryption. Prepare to enter the .json password.

Enter the password with which the .json file will be encrypted/protected.

You may keep the .json file, but it is not needed later on.

You need the submit the .pdf file to the RWTH registration authority (RA).

Here you can also download and save the application data file (JSON) again, should you have failed to do so in step 4.

Save and/or print the .pdf file. Read it, date it and sign it by hand.

As the contents of the application form (PDF file) are currently not displayed in English, here is a short summary of what you are agreeing to:

• The certificate may only be installed on servers explicitly listen under SaN.

• The private RSA key may only be made accessible to administrators of the servers named under SaN.

• Every server named under SaN and accessible via the internet needs to be adequately protected, e.g.:
  • The server is located behind a secure infrastructure, e.g. firewall.
  • The server is administered appropriately, including regular installation of security updates.
  • Administrative access to the server, and by extension to the the private RSA-key, is clearly and strictly regulated.

The DFN-PKI certification policy requires that the identity of the applicant be verified by the local registration authority, see Possible Ways of Identity Verification options in order to submit your certificate application form.