Please note

If your institute email address is not displayed in the RA-Portal, please contact your network contact person at your institute.
 
They can/should add your email address into the RA-Portal and send you a challenge email. After redeeming your token, that is after confirming your email address via the link in the challenge email, your institute email address will be shown in the RA-Portal.

The following instructions guide you through the process of requesting and retrieving a user certificate in the RA-Portal (GÉANT/TCS) via your browser.

Before a new user certificate can be applied for, an existing user certificate (from the GÉANT/TCS) must either have been revoked or expired or be valid for less than 28 days.

If you still have a valid user certificate from the DFN-PKI Global, you can continue using it until it expires. There is no immediate need to apply for a new GÉANT/TCS user certificate.

Although you can apply for a new GÉANT/TCS user certificate while still having a valid DFN-PKI certificate, we strongly advice against doing so. The simultaneous use of multiple user certificates for the same email address leads to serious problems with encrypted emails.

During the certificate application process, two files are created and are to be saved locally:

• the certificate request file (.json file), containing your cryptographic keys
• the certificate file including your cryptographic keys (.p12 file)

Both of the above mentioned files contain your cryptographic keys and must be stored password protected (encrypted):

• a .json password for the .json file (certificate request file)
  a .p12 password for the .p12 file (certificate file including cryptographic key)

Be sure to keep these files and passwords safe!

Without the .json file, you cannot generate the .p12 file (for browser-generated RSA keys).

Without the .p12 file, you cannot use your certificate.

After saving the .p12 file, the .json file may be deleted.

1. Log into the RA-Portal via Single Sign-On

• You can only reach the RA-Portal from within the RWTH intranet.
• Your session expires in 30 minutes.
• After 10 minutes of inactivity, you are required to login again.

Select the tab "Meine Client-Zertifikate".

On your first visit, the table showing your existing user certificates will be empty.

2. Confirm email address if necessary

Click the button "+ Client-Zertifikat beantragen".

Your @rwth-aachen.de and @post.rwth-aachen.de email addresses are conveyed automatically to the RA-Portal and are therefore always displayed in the list of email addresses assigned to you.

Your institute email address(es) are only shown, once they have to been "allowed" in the RA-Portal. This is a multistep process:

• The network contact person at your institute has to add your email address into the RA-Portal.
• They have to trigger the sending of a challenge email to you. A challenge email is sent from "ra-portal-noreply@itc.rwth-aachen.de" with Subject "[RA-Portal] Freischaltung für / Access for <email>" and is digitally signed.
• You need to confirm receipt of this email by following the redeem-token-URL and login into the RA-Portal.
• From then on, and for as long as your network contact person allows it, you will see your institute email address in the RA-Portal.

By clicking on the URL in the challenge email, you login (via your browser) to the RA-Portal and your email address is associated with your username. If there are no more pending challenge emails, e.g. aliases for your mailbox, then from this point on you can request certificates for your email address in the RA-Portal. Either immediately or the next time you visit the RA-Portal.

3. Apply for a client certificate by clicking the button

4. No employee or student status?

During single sign-on, your employee/student/member status is conveyed to the RA-Portal. If you do not have an employee or student status, then the RA-Portal will indicate that you must go through an identity verification process before you can proceed with the client certificate application. For instructions, see "Identity verification instructions".

5. Generate a certificate request (with key generation in the browser)

As an alternative to generating your cryptographic keys in the browser, you can also upload a certificate request. This requires the prior generation of your cryptographic keys and CSR file via openssl.

Select the email address for which you want to request a certificate.

"Nicht anfragbar" are email addresses for which a GÉANT/TCS certificates exists and is still valid for more than 28 days. If you need a new certificate for such an email address, you must first revoke this valid certificate. Go back to "Meine Client-Zertifikate".

E-Mail-Konto: Select the email address for which you want to apply for a user certificate. Any aliases for the account are displayed to its right. For @rwth email addresses you may deselect the aliases.

Common Name: For personal email addresses, your name, as conveyed from your IdM data, is shown and used in the certificate request. For functional mailboxes, as of 01.09.2023, the certificate does not include a Common Name.

Von der CA festgelegte Attribute: These attributes/fields are specified by the CA (PKI), apply RWTH-wide and can not be changed by the applicant.

Passwort zum Verschlüsseln des Private Key: Set a password to encrypt your .json file. The .json file contains your cryptographic keys. You need this file and the password to retrieve your certificate. There is no password reset available, so keep the file and it's password safely.

Schlüsselalgorithmus: Select "RSA-4096" (default) or "RSA-2048.

Your Full Name:

• If your IdM name does not match the name in your personal identification document, please contact the central university administration that manages your data in order to have your name corrected, and come back later.
• Please note that (academic) titles cannot be entered on GÉANT/TCS certificates, even if these are part of your name on your identity document.

Pflichtfelder:

• Please confirm that your name, as conveyed from your IdM data, is correct and that you have authorized access to the mailbox.
• Please consent to the processing of your data for the purposes of issuing and managing your user certificate. Please read the text carefully.
• You acknowledge that your certificate is included in the RWTH-LDAP (RWTH internal directory service).

One button three tasks:

1. Generate certificate request in the browser (here your cryptographic keys are generated in the browser).

2. Save the certificate request file locally (here the .json file is saved locally on your computer).

3. Upload your certificate request into the RA-Portal.

Depending on your browser settings, you may be asked where and how to save the .json file. If you do not get a dialog box and/or use the default browser settings, then the .json file is saved in the Downloads folder.

6. Send request or show request?

After you have generated your certificate signing request (application), you have to send (submit) it to the CA (Certification Authority). There are two ways around this.

Sidenote: here is your last chance to save the .json file (again): The .json-file should have been automatically downloaded to your computer in the previous step 5 (check your Downloads folder if necessary). By clicking the "Antragsdatei erneut speichern" button you can request to download it again manually. The .json file is necessary in order to use your certificate later (as it contains your cryptographic keys).

Your certificate signing request (application) must now be sent to the CA (PKI). This can be done in two ways:

• By clicking on the button "Zertifikatsantrag jetzt absenden" your certificate application will be sent to the CA immediately. Proceed to step 8 of this instruction.
• By clicking on the button "Zertifikatsantrag erst anzeigen", you can first check the contents of your certificate signing request before sending it to the CA. Proceed to step 7 of this instruction.

7.  Send the request to the CA

Under "Inhalt des Zertifikatsantrages" you can check the contents of the generated certificate signing request.

Via the trash can icon, you have the option to delete your application.

Via the blue paper airplane icon, you can submit your request to the CA.

8. Application is being processed, waiting for certificate to be issued

You can view the status of your certificate request at any time under the "Meine Client-Zertifikate" menu item. During processing, your application status is "Sent [to the CA], but not issued" and the hourglass icon is displayed.

9. Retrieving the user certificate

After your certificate has been issued by the CA, you should receive an email notification from ra-portal-noreply@itc.rwth-aachen.de. In the RA-Portal, a green check mark will be displayed next to the certificate "status", indicating certificate issued and valid. Your certificate is now available for download by clicking on the blue download button.

Choose the option "Im Browser PKCS#12-Datei generieren".

Option PKCS#7: This is the user certificate with chain. This option is needed if you have generated the certificate request via openssl.

Antragsdatei: Select the certificate request file (.json file) as downloaded in step 6 above.

Passwort zum Entschlüsseln des Private Key: Enter the password for the .json file set in step 5.

Passwort zum Verschlüsseln der PKCS#12-Datei: Set a password for your .p12 file. You need this password to be able to import your .p12 file (and as a consequence your certificate and the corresponding cryptographic keys) into e.g. your email application. Keep this password safe, there is no way to reset it.

PCKS#12-Datei erstellen: Click this button to create the .p12 file and to save it locally.

It is possible to reuse the .json password for the .p12 file. For this purpose, click the box "Gleiches Passwort ... benutzen".

You will receive a confirmation that the .p12-file has been created. If you could not download the file, click the green button "PKCS#12-Datei erneut speichern" .

After you have successfully downloaded and saved the file, you can close the popup.