You are located in service: Public Key Certificates

User certificates RA-Portal

User certificates RA-Portal

Detailinformation

 

Please note

The application for user certificates is currently not possible. For more information, please visit our maintenance page.
 

Please note:
If your institute email address is not displayed in the RA-Portal, please contact your network contact person (IT administrator) at your institute.
They can/should add your email address into the RA-Portal and send you a challenge email. After redeeming your token, that is after confirming your email address via the link in the challenge email, your institute email address will be shown in the RA-Portal.The following instructions describe how to apply for and collect a user certificate (also known as S/MIME certificate) in the RA-Portal (GÉANT/TCS) via your browser:

Please note:

  • An existing user certificate from GÉANT/TCS must either be revoked, expired or valid for less than 28 days before a new one can be requested.
  • An existing user certificate from the DFN-PKI Global can continue to be used until the expiration date. The RA-Portal does not recognize DFN-PKI certificates and therefore does not prevent the issuance of another user certificate in the GÉANT/TCS. However, the simultaneous use of several user certificates for one email address is not recommended and leads to considerable problems with email encryption.

Detailinformation

Before a new user certificate can be applied for, an existing user certificate (from the GÉANT/TCS) must either have been revoked or have expired or only be valid for less than 28 days.

If you still have a valid user certificate from the DFN-PKI Global (potentially till August 2026), you can continue using it until it expires. 

You can apply for a new GÉANT/TCS user certificate while still having a valid DFN-PKI certificate. The simultaneous use of multiple user certificates for the same email address leads to serious problems with encrypted emails. Therefore, we strongly recommend that you revoke the older user certificate.

During the certificate application process, two files are created and are to be saved locally:

  • the certificate request file (.json file), containing your cryptographic keys
  • the certificate file including your cryptographic keys (.p12 file)

Both of the above mentioned files contain your cryptographic keys and must be stored password protected (encrypted):

  • a .json password for the .json file (certificate request file)
    a .p12 password for the .p12 file (certificate file including cryptographic key)

Be sure to keep these files and passwords safe!

Without the .json file, you cannot generate the .p12 file (for browser-generated RSA keys).

Without the .p12 file, you cannot use your certificate.

After saving the .p12 file, the .json file may be deleted.

 

Request user certificate

1. Log into the RA-Portal via Single Sign-On

  • You can only reach the RA-Portal from within the RWTH intranet.
  • Your session expires after 60 minutes.

During the single sign-on, your employee/student/member status is transmitted to the RA-Portal. If you do not have an employee or student status, the RA-Portal will tell you that you need to carry out an identity check before you can continue with the client certificate application. You can find instructions under “Identity verification”.

 

2. Select the tab "Meine Client-Zertifikate" (my client certificates)

On the first visit, the table of your own client certificates is empty.

3. Click the button "+ Client-Zertifikat beantragen"

Client-Zertifikat beantragen

 

4. Check whether the email address for which you want to request a certificate is activated

Your @rwth-aachen.de and @post.rwth-aachen.de email addresses are conveyed automatically to the RA-Portal and are therefore always displayed in the list of email addresses assigned to you.

Your institute email address(es) are only shown, once they have been "allowed" in the RA-Portal. This is a multistep process:

  • The network contact person at your institute has to add your email address into the RA-Portal.
  • They have to trigger the sending of a challenge email to you. A challenge email is sent from "ra-portal-noreply@itc.rwth-aachen.de" with Subject "[RA-Portal] Freischaltung für / Access for <email>" and is digitally signed.
  • You need to confirm receipt of this email by following the redeem-token-URL and logging into the RA-Portal.
  • From then on, and for as long as your network contact person allows it, you will see your institute email address in the RA-Portal.

By clicking on the redeem-token-URL in the challenge email, you login (via your browser) to the RA-Portal and your email address is associated with your username. If there are no more pending challenge emails, e.g. aliases for your mailbox, then from this point on you can request certificates for your email address in the RA-Portal. Either immediately or the next time you visit the RA-Portal.

Bestätigung der E-Mail-Adresse

5. Generate a certificate request (with key generation in the browser)

As an alternative to generating your cryptographic keys in the browser, you can also upload a certificate request. This requires the prior generation of your cryptographic keys and a CSR file via openssl.

Select the email address for which you want to request a certificate.

  • Aliases for @rwth-aachen.de addresses can be deselected.
  • “Not requestable” are email addresses for which a valid certificate exists in the GÉANT/TCS that is valid for more than 28 days. If you need a new certificate for such an email address, you must first revoke the valid certificate. To do this, go back to “My client certificates”.

The “Common Name” field:

  • For personal email addresses, your name is automatically filled in from your Identity Management data as soon as you have selected that email account.
  • For functional email addresses, no Common Name is allowed in the user certificate (effective 01.09.2023).

The field "Von der CA festgelegte Attribute": These attributes/fields are specified by the CA (PKI), apply RWTH-wide and can not be changed by the applicant.

The field "Passwort zum Verschlüsseln des Private Key": Set a password to encrypt your .json file. The .json file contains your cryptographic keys. You need this file and its password to retrieve and use your certificate. There is no password reset available, so keep the file and its password safely.

Schlüsselalgorithmus: Select "RSA-4096" (recommended) or "RSA-2048.

Your Full Name:

  • If your IdM name does not match the name in your personal identification document, please contact the central university administration that manages your data in order to have your name corrected, and come back later.
  • Please note that (academic) titles cannot be entered on GÉANT/TCS certificates, even if these are documented in your identity document.

Pflichtfelder (Mandatory fields):

  • Please confirm that your name, as conveyed from your IdM data, is correct and that you have authorized access to the mailbox.
  • Please consent to the processing of your data for the purposes of issuing and managing your user certificate. Please read the text carefully.
  • You acknowledge that your certificate is included in the RWTH-LDAP (RWTH internal directory service).

6. Upload the certificate application

Clicking on the corresponding button triggers three events:

  • Generate certificate request in the browser (here your cryptographic keys are generated in the browser).
  • Save the certificate request file locally (here the .json file is saved locally on your computer).
  • Upload your certificate request into the RA-Portal.

Depending on your browser settings, you may be asked where and how to save the .json file. If you do not get a dialog box and/or use the default browser settings, then the .json file is saved in the Downloads folder.

7. Send the certificate request

After you have generated your certificate signing request (application), you have to send (submit) it to the CA (Certification Authority). There are two ways around this.

Sidenote: here is your last chance to save the .json file (again): The .json-file should have been automatically downloaded to your computer in the previous step 5 (check your Downloads folder if necessary). By clicking the "Antragsdatei erneut speichern" button you can request to download it again manually. The .json file is necessary in order to use your certificate later (as it contains your cryptographic keys).

Your certificate signing request (application) must now be sent to the CA (PKI). This can be done in two ways:

  • By clicking on the button "Zertifikatsantrag jetzt absenden" (Send certificate application now) your certificate application will be sent to the CA immediately. Proceed to step 8 of this instruction.

  • By clicking on the “Zertifikatsantrag erst anzeigen" (Show certificate request first) button, you can check your request again before sending it to the CA.
    • You can read the plaintext content of your certificate signing request under "Inhalt des Zertifikatsantrages" (Content of the certificate request).
    • You still have the option to change your mind und just delete your certificate application by clicking on the "Löschen" (delete) button.
    • Or you can click on the "Absenden" (send) button, and finally send your certificate application to the CA.

8.  Your application is being processed

You can view the status of your certificate application request at any time under the menu item “Meine Client-Zertifikate" (My client certificates). During processing, the request status is "Gesendet aber noch nicht ausgestellt" (Sent but not yet issued) and a blue hourglass icon is displayed.

 

Collect user certificate

Once your certificate has been issued, you will receive an email notification from ra-portal-noreply@itc.rwth-aachen.de with subject "[ra-portal] Client-Zertifikat für <email> ausgestellt" (client certificate for <email> issued).

A green check mark is displayed left of the certificate “Status” "Momentan gültig" (currently valid). It is now possible to download your certificate and "bind" it to your cryptographic keys (step 5-6).

  • Select the button "PKCS#12-Datei generieren" to generate your PKCS#12 file. This is what you need to import into your email or document signing application.
  • Option "Zertifikat-Download (PKCS#7)": Here you can download your user certificate with its chain. This option is required if your certificate request was previously generated via openssl.
  • Option "Inhalt als Text anzeigen": This is the content of your S/MIME certificate in plaintext.
 

The “Durchsuchen” (Browse) field: Click to select the certificate request file (.json file) you downloaded in step 6.

The "Passwort zum Entschlüsseln des Private Key" (Password for decrypting the private key) field: Enter the password for the .json file that was set in step 5.

The "Passwort zum Verschlüsseln des PKCS#12-Datei" (Password for encrypting the PKCS#12 file) field: Set a password for your .p12 file. You need this password to be able to import your .p12 file (and consequently your certificate and the associated cryptographic keys) into your email application, for example. Keep this password safe, there is no way to recover or reset it.

Click on the “PKCS#12-Datei erstellen" (create PCKS#12 file) button to generate the .p12 file and save it locally.

It is also possible to reuse the .json password for the .p12 file. To do this, click the box "Gleiches Passwort ... benutzen" (use the same password to encrypt the PKCS#12 file).

You will receive a confirmation that the .p12 file has been created. If you were unable to download the file, you can click on the green “PKCS#12-Datei erneuet speichern” button (not shown here).

Once you have successfully downloaded and saved your .p12 file, you can close the pop-up.

Please keep this .p12 file safe, it will be needed later to import your “certificate” into applications.

Once you have found a secure place for your .p12 file, you can (and should) delete your .json file (aka tidying up loose ends)


Additional Information:

last changed on 02/10/2025

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License