You are located in service: Certificates

With OpenSSL/LibreSSL

With OpenSSL/LibreSSL


  1. generate RSA Schlüssel key

    PRIVATE_KEY_FILEfile name for the private RSA keye.g. private.key


    length of the RSA keyminimum 2048 bit

    openssl genrsa -out $PRIVATE_KEY_FILE $KEY_LENGHT chmod 400 $PRIVATE_KEY_FILE

  2. create certificate signing request


    file name containing the private RSA key 


    file name for the certificate signing requeste.g.. user.csr


    organization namee.g.. IT Center


    first name(s)e.g. John
    SURNAMEsurnamee.g. Doe
    EMAIL_ADDRESS_1primary e-mail address 
    EMAIL_ADDRESS_2 ...additional e-mail address(es) 
    1. one e-mail address

      openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME/emailAddress=$EMAIL_ADDRESS_1"

    2. multiple e-mail addresses

      openssl req -new -key $PRIVATE_KEY_FILE -out $CERTIFICATE_SIGNING_REQUEST -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/OU=$ORGANISATION/CN=$FORENAME $SURNAME" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=email:$EMAIL_ADDRESS_1,email:$EMAIL_ADDRESS_2"))

  3. check the certificate signing request


    file name containing the certificate signing requeste.g. user.csr

     openssl req -text -noout -in $CERTIFICATE_SIGNING_REQUEST

  4. submit certificate signing request
    • go to the DFN website for server certificates in the browser of your choice
    • just enter there



      Name (Vor- und Nachname)






      PINrandom number, for example to revoke the certificate
      Veröffentlichungcheck if wanted, user certificate can be found using the DFN address book


    • confirm this information if correct on the following page
  5. the PDF file "Zertifikatsantrag auf Nutzerzertifikat"

    1. will be made available for download after confirmation of the informationlt
    2. must be printed out and signed by hand
    3. can be submitted personally to a named location upon presentation of a photo ID
  6. as soon as the RWTH-CA has checked the printed PDF document, it issues the order to create the certificate as part of the DFN-PKI
  7. the user will receive an E-Mail addressed to EMAIL_ADDRESS_1 with the certificate attached
  8. check whether the certificate matches your own/private key


    file name containing private RSA key


    file name containing the certificate

    (openssl rsa -noout -modulus -in $PRIVATE_KEY_FILE | openssl md5; openssl x509 -noout -modulus -in $CERTIFICATE_FILE | openssl md5) | uniq

  9. create export/.p12 file


    file name for the export/.p12 filee.g. $SURNAME.p12


    file name containing the private RSA key 


    file name containing the certificate 


    file name containing the DNF-PKI key chain 
    • without key chain

       openssl pkcs12 -export -out $EXPORT_FILE -inkey $PRIVATE_KEY_FILE -in $CERTIFICATE_FILE

    • with key chain

      wget openssl pkcs12 -export -out $EXPORT_FILE -inkey $PRIVATE_KEY_FILE -in $CERTIFICATE_FILE -certfile chain.txt

  10. depending on the application request (signing an e-mail or PDF document), this EXPORT_FILE can be imported into the certificate store of the respective program, e.g.
    • Thunderbird
    • Outlook
    • Adobe Acrobat
    • JSignPDF

last changed on 01/29/2021

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License