You are located in service: Certificates

With OpenSSL/LibreSSL

With OpenSSL/LibreSSL


1. generate RSA keys

PRIVATE_KEY_FILEName of the file for the RSA key pair, incl. private keye.g. "private.key
KEY_LENGTHLength of the RSA keyat least 2048 bit
openssl genrsa -out $PRIVATE_KEY_FILE $KEY_LENGTH chmod 400 $PRIVATE_KEY_FILE

2. generate Certificate Signing Request (CSR)

CERTIFICATE_SIGNING_REQUESTCSR file name.e.g."request.pem"
ORGANISATIONName of the organizational unit within the RWTHe.g. "IT Center"
FORENAMEFirst name(s)e.g. "Max Udo"
SURNAMELast name(s)e.g. "Mustermann"
EMAIL_ADDRESS_1primary email addresse.g.. ""
EMAIL_ADDRESS_2further e-mail address within the above organizational unit    e.g.""

Create a CSR for a single e-mail address:

openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME/GN=$FORENAME/SN=$SURNAME/emailAddress=$EMAIL_ADDRESS_1"


Create a CSR with multiple email addresses:

openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME/GN=$FORENAME/SN=$SURNAME" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=email:$EMAIL_ADDRESS_1,email:$EMAIL_ADDRESS_2"))

3. check Certificate Signing Request

openssl req -text -noout -in $CERTIFICATE_SIGNING_REQUEST

4. submit certificate application (here without pictures or detailed instructions)

  1. Open the DFN-PKI web portal in the browser of your choice (not IE).
  2. Select the "Upload CSR (PKCS#10) file" box.
  3. Select certificate profile "User".
  4. Select "Browse" to upload your "CSR (PKCS#10) file", this is the $CERTIFICATE_SIGNING_REQUEST file generated above.
  5. "Your data" is the the data about the applicant.
  6. The "Revocation PIN" is needed for possible revocation of the issued certificate.
  7. "Publication of the certificate" is optional, used for storing your issued user certificate in the DFN-PKI LDAP server.
  8. Saving the .json file is not necessary, as your RSA keys were not generated by the browser.
  9. Save/print the .pdf file, read, date and sign it.
  10. Submit your certificate application (.pdf) for personal ID check to the RWTH registration authority.

5. receiving your user certificate

You will receive a digitally signed e-mail (sender: with a link to pick up your certificate.

This email also contains your user certificate as a .pem file. Save this file locally.

CERTIFICATE_FILEName of the file with the issued certificatee.g. cert-1234567890.pem

Public RSA Key in certificate should match your stored public key:

(openssl rsa -noout -modulus -in $PRIVATE_KEY_FILE | openssl md5; openssl x509 -noout -modulus -in $CERTIFICATE_FILE | openssl md5) | uniq

Check the Attributes of your user certificate:

openssl x509 -in $CERTIFICATE_FILE -text -noout

6. create your .p12-file

You will need to create a .p12-file, containing your user certificate ($CERTIFICATE_FILE) and your RSA keys ($PRIVATE_KEY_FILE), to be able to import those in various applications that generate cryptographic signatures. The .p12-file should be kept secure and remain in your possession for a long time.

EXPORT_FILEName of the .p12 filee.g. mustermann_itc_20221007.p12
chain.txtFile with the certificate chain of the DFN-PKI. Download here. 
wget openssl pkcs12 -export -out $EXPORT_FILE -inkey $PRIVATE_KEY_FILE -in $CERTIFICATE_FILE -certfile chain.txt

7. Use your .p12-file

Depending on the desired usage (digitally signing e-mails or PDF documents) your EXPORT_FILE should be imported into the certificate store of the respective application, e.g..

  • Thunderbird
  • Outlook
  • Adobe Acrobat
  • JSignPDF

    last changed on 03/27/2023

    How did this content help you?

    Creative Commons Lizenzvertrag
    This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License