Three passwords are needed during the certificate application process:

• for the certificate revocation (PIN)
• for the .json file
• for the generation of the .p12 file

Be sure to remember these.

Certificate profile: Select the appropriate profile.

CommonName (CN): Enter the FQDN of the (sub)domain for which the certificate should be issued.

Additional subject alternative name (SaN): Enter any additional FQDNs, for which the server certificate should apply, as subject alternative names.

Namespace: for server certificates, preset.

Your Data (certificate applicant):

Full name: Your full name as shown in your official ID document.

Email: Preferably a functional e-mail account, to which you and your standby have access. E-Mails from the DFN-PKI are addressed to this e-mail.

Department: Complete name of your RWTH institution (e.g.: IT Center, Chair of Computer Science 12).

Revocation PIN: The PIN is required to revoke the received certificate if necessary. Please keep this PIN in a safe place.

Personal note:

This note is saved in the .json file.

You must abide by the DFN-PKI regulations.

You have to agree to the publication of the issued server certificate (Certificate Transparency).

You must agree to the processing of your personal data.

Check that the certificate data and your data are correct and subsequently select "Save application data file".

This step creates a .json file with the cryptographic keys (RSA keys) and all other submitted information.

The .json file is stored in an encrypted form. You must set a password for this encryption. Prepare to enter the .json password.

Enter the password with which the .json file will be encrypted/protected.

You must keep the .json file and its password safe.

Both are necessary in order to retrieve the issued certificate.

You need to

• sing the PDF by hand
• submit it to the RWTH registration authority

The applicant must submit proof of personal identification.

Here you can also download and save the application data file (JSON) again, should you have failed to do so in step 4.

Save and/or print the .pdf file. Read it, date it and sign it by hand.

As the contents of the application form (PDF file) are currently not displayed in English, here is a short summary of what you are agreeing to:

• The certificate may only be installed on servers which are explicitly named under SaN.

• The private RSA key is only allowed to be made accessible to administrators of the im SaN named server.

• Every im SaN named Server, with internet access, needs to be adequately protected, e.g.
  • The server is located in a secure infrastructure, for instance behind a firewall.
  • The server is professionally run, including the regular installation of security patches.
  • Administrative access to the server and by extension access to the private RSA-key is clearly regulated.

The DFN-PKI certification policy requires that the identity of the applicant be verified by the local registration authority, see Possible Ways of Identity Verification options in order to submit your certificate application form.