You are located in service: Public Key Certificates

Client certificate with own CSR RA-Portal

Client certificate with own CSR RA-Portal


You can use openssl to generate your RSA keys and your own certificate signing request for your user certificate. The CSR can then be uploaded into the RA-Portal.


Step 1:

Log in to the RA-Portal (via SSO). The RA-Portal is only accessible within the RWTH intranets.

Check how your given name and surname are passed on from the Identity Management of the RWTH. Your certificate will be issued for this given name and surname combination.

Navigate to the tab "Meine Client-Zertifikate".

On your first visit, the list of your user certificates should be blank.

Select "+ Client-Zertifikat beantragen"

Step 2:

Requests can only be generated for email addresses that are assigned to you.

Use the help link to display the needed openssl commands (step 3).

"Nicht anfragbar" are email addresses for which a certificate exists in GÉANT/TCS, that is still valid for more than 28 days. If you need a new certificate for such an email address, you must first revoke the valid certificate. Go back to "Meine Client-Zertifikate".


Step 3: Your are now under "OpenSSL-Befehlsgenerator"

Select the email address for which you want to apply for a user certificate. For personal mailboxes the common name is provided by IdM, for functional mailboxes there is no common name in the issued certificate.

Click on "Generieren" to display the relevant openssl commands.

openssl genrsa -out private_key.pem 4096
openssl req -new -utf8 -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=RWTH Aachen University/" -addext ""

Step 4:

RSA-2048 and RSA-4096 (recommended) are both allowed. For your CSR, use the openssl command displayed.


Step 5:

o Go back to step 2

o Select your generated CSR file

o Agree to "name correct", "process my data", "ldap" (oversimplified here)

o Click on "Clientzertifikatsantrag hochladen"

Step 6:

Make sure the information under "Inhalt des Zertifikatsantrags" is correct.

You may still delete your certificate application via the trash can icon.

If you do want the certificate, you need to send your request to the certification authority via the paper airplane icon.

Step 7:

The hourglass icon shows that the certificate still needs to be issued. Status is "Sent, but not yet issued".

Step 8:

Status icon has changed to a green checkmark, i.e. the certificate is issued and valid, it can now be downloaded. Select the option "Download in PKCS#7 format".

openssl pkcs12 -export -in cert.pem -inkey private.pem -certfile cert_chain.pem -out cert.p12 -passin pass:<passin> -passout pass:<passout>

Step 9:

You need to split the PKCS#7 into cert.pem (your user certificate) and cert_chain.pem (the certificate chain).

You need to use openssl to create a .p12 file from your private.pem (step 4), your cert.pem, and your cert_chain.pem.

<passin> is the password for the private.pem and <passout> is the password for the .p12 file.


last changed on 10/26/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License