You are located in service: Certificates

Apply for a server certificate via browser

Apply for a server certificate via browser


These instructions describe how to apply for a server certificate (X.509, SSL/TLS) at the DFN-PKI via your browser.

Any known, uptodate browser may be used, e.g. Firefox, Edge (Chrome based), Chrome, Safari.

PLEASE NOTE: You must safely save the generated .json-file (step 4), including associated password. This is essential in order to be able retrieve the issued certificate.


Three passwords are needed during the certificate application process:

  • for the certificate revocation (PIN)
  • for the .json file
  • for the generation of the .p12 file

Be sure to remember these.

1. Select button "request server certificate" under heading "Server certificate (incl. key generation)" on the DFN-PKI webpage.

Applying for a server certificate

2. Fill in the data to be included in the required certificate.

Application data

Certificate profile: Select the appropriate profile.

CommonName (CN): Enter the FQDN of the (sub)domain for which the certificate should be issued.

Additional subject alternative name (SaN): Enter any additional FQDNs, for which the server certificate should apply, as subject alternative names.

Namespace: for server certificates, preset.


3. Provide data to the person applying for the server certificate.

Personal Note

Your Data (certificate applicant):

Full name: Your full name as shown in your official ID document.

Email: Preferably a functional e-mail account, to which you and your standby have access. E-Mails from the DFN-PKI are addressed to this e-mail.

Department: Complete name of your RWTH institution (e.g.: IT Center, Chair of Computer Science 12).

Revocation PIN: The PIN is required to revoke the received certificate if necessary. Please keep this PIN in a safe place.


Personal note:

This note is saved in the .json file.

You must abide by the DFN-PKI regulations.

You have to agree to the publication of the issued server certificate (Certificate Transparency).

You must agree to the processing of your personal data.

4. Save the generated application data file (JSON) and assign a password for it.

Save certificate application

Check that the certificate data and your data are correct and subsequently select "Save application data file".

This step creates a .json file with the cryptographic keys (RSA keys) and all other submitted information.

The .json file is stored in an encrypted form. You must set a password for this encryption. Prepare to enter the .json password.

Set passphrase

Enter the password with which the .json file will be encrypted/protected.

You must keep the .json file and its password safe.

Both are necessary in order to retrieve the issued certificate.


5. Download certificate application form (PDF) and sign it.

Downloading the certificate application

You need to

  • sing the PDF by hand
  • submit it to the RWTH registration authority

The applicant must submit proof of personal identification.

Here you can also download and save the application data file (JSON) again, should you have failed to do so in step 4.

Application PDF (in German)

Save and/or print the .pdf file. Read it, date it and sign it by hand.


As the contents of the application form (PDF file) are currently not displayed in English, here is a short summary of what you are agreeing to:

  • The certificate may only be installed on servers which are explicitly named under SaN.

  • The private RSA key is only allowed to be made accessible to administrators of the im SaN named server.

  • Every im SaN named Server, with internet access, needs to be adequately protected, e.g.
    • The server is located in a secure infrastructure, for instance behind a firewall.
    • The server is professionally run, including the regular installation of security patches.
    • Administrative access to the server and by extension access to the private RSA-key is clearly regulated.

6. Submit the application form in person and go through the required identity verification.

The DFN-PKI certification policy requires that the identity of the applicant be verified by the local registration authority, see Possible Ways of Identity Verification options in order to submit your certificate application form.



Here you can read how to collect the certificate:

last changed on 07/08/2022

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License