Please note: Due to changes in the DFN-PKI portal, we are constantly updating the user instructions.

Public Key Certificates (as defined by X.509) can be used to verify the identity of the owner, and eventually other properties (e.g. email or organisation), of a public cryptographic key (refer to public key cryptography for more technical information).

The cryptographic keys of (TLS/SSL) server certificates allow relevant applications to set up end-to-end encryption between the user application and the server (e.g. TLS, for HTTPS in a Browser, or IPsec for VPN, or SSH).

The RWTH Registration Authority "RWTH RA" is part of the DFN-PKI (Public Key Infrastructure).

The certificate applicant must be associated to the RWTH Aachen University.

Server certificates for the RWTH are issued as of the 16.12.2022 by the GÉANT/TCS (Trusted Certificate Service), the current CA is Sectigo.

The implemented certificate chains end at a built-in Token:

• for GÉANT/TCS several certificate chains are applicable, they all end at the root certificate "AAA Certificate Services" of "Comodo CA Limited".

Root certificates (or built-in Tokens) are anchored within standard browsers and other relevant applications (that is, they belong to the SW installation), thus enabling the automated validation of the certificates lower down the chain.

All server certificates issued by the GÉANT/TCS (currently Sectigo) have following "Key Usages" (X509v3 extensions):

• X509v3 Key Usage: critical
  • Digital Signature, Key Encipherment
• X509v3 Extended Key Usage:
  • TLS Web Server Authentication, TLS Web Client Authentication

All server certificates are valid for 365 days.