You are located in service: Certificates

Apply for a Group certificate

Apply for a Group certificate


This instruction describes how to apply for a group certificate in the DFN-PKI with your browser.

Known supported browsers are: Firefox, Edge (Chrome based), Chrome, Safari.

PLEASE NOTE: You must save the JSON application data file generated be your Browser (step 4), as well as the associated password. Both are needed in order to "collect" your certificate.


What is a group certificate?

If an e-mail address is used by a group of people or if it is a functional e-mail address (e.g., then a group certificate should be used instead of a personal user certificate. This group certificate together with the associated cryptographic keys (i.e. the .p12-file and its password) must be forwarded to all authorised users by secure means.

A group certificate is applied for and used in the same way as a user certificate, e.g. to digitally sign e-mails.

You can submit the readable application to the registration authority as if it was a server certificate application, see Identity verification options.



Three passwords are to be assigned during the certificate creation process:

  • for the certificate revocation (PIN)
  • for the .json file
  • for the backup of the .p12 file

Be sure to have knowledge of these.

1. Under "Nutzerzertifikat" select to apply for a "group certificate" on the DFN-PKI webpage.

2. Fill in the information pertaining to the certificate.

Group: A meaningful name for the e-mail address (it is automatically prefixed with "GRP -" in the subsequent step).

E-mail: The e-mail address for which the certificate shall apply.

Organisational Unit (OU): Full name of your RWTH institution (e.g.: IT Center, Chair of Computer Science 12).

Namespace: Here you can choose whether city and state should also be specified as part of the DN.

3. Fill in the information pertaining to the applicant.


Full name of the applicant: The name of the actual person submitting the application, as it appears on their identification document. This person must also submit the application to the registration authority.

E-mail of the applicant: Your own e-mail address.

Department: Full name of your RWTH institution (e.g.: IT Center, Chair of Software Construction).

Revocation PIN: The PIN is needed to revoke the received certificate if obsolete/compromised. Please keep this PIN in a safe place.

Personal note: This note will be saved in the .json file.

You must agree to comply to the regulations.

You may agree to the publication of the certificate.

You must agree to the processing of your personal data.


4. Save certificate application data file and assign a password for it.

Check submitted information and if correct select "Save certificate application data file (JSON)".

This step creates a .json file with the submitted information about the certificate and the applicant as well as the cryptographic keys (RSA keys) to the certificate.

The .json file is stored in encrypted format, you need to assign a password for this encryption. Prepare the .json password.


Enter the password with which the .json file will be encrypted.

You must keep the .json file and its password safe.

You will need both in order to "collect" the issued certificate.


5. Download certificate application form (PDF) and sign it.

Download certificate application form (PDF):

You need to submit or bring the printed .pdf file to the registration authority so that the personal identification of the applicant can take place.

Save certificate application data file (JSON) again:
Here you can download and save the application file (JSON) again, should you have failed to do so in step 4.


Save and/or print the .pdf file. Read it, date it and sign it by hand.

As the contents of the application form (PDF file) are currently not displayed in English, here in short what you are agreeing to:

  • you are not allowed to disclose your private RSA key to users outside the designated group

  • all devices on which you use your private RSA key (in extension your DFN-PKI certificate) are adequately protected from unauthorised access and abuse

  • your are required to revocate your certificate if any of the following applies:

    • any data, included in the certificate, is no longer valid/applicable

    • your private RSA key or your password to the file containing it has been compromised

    • you are no longer authorised to use the certificate

    • one of the users leaves the group (i.e. is no longer authorised to use the e-mail address specified under "Alternativer Namen")

 6. Submit application form in person and go through the required identity verification.

The DFN-PKI Certificate Policy mandates that the RWTH Registration Authority performs a personal identification of the applicant, for more details see Possible ways of identity verification in order to submit the certificate application form.



Here you can read how to "collect" the issued certificate, the process is analogous to a personal user certificate.

The certificate can only be "collected" by the person who

  • has received the e-mail from the DFN-PKI
  • has saved the .json file in step 4
  • knows the password from step 4
  • Receiving user certificate

last changed on 04/28/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License