Apply for a Group certificate
This instruction describes how to apply for a group certificate in the DFN-PKI with your browser.
Known supported browsers are: Firefox, Edge (Chrome based), Chrome, Safari.
PLEASE NOTE: You must save the JSON application data file generated be your Browser (step 4), as well as the associated password. Both are needed in order to "collect" your certificate.
What is a group certificate?
If an e-mail address is used by a group of people or if it is a functional e-mail address (e.g. firstname.lastname@example.org), then a group certificate should be used instead of a personal user certificate. This group certificate together with the associated cryptographic keys (i.e. the .p12-file and its password) must be forwarded to all authorised users by secure means.
A group certificate is applied for and used in the same way as a user certificate, e.g. to digitally sign e-mails.
You can submit the readable application to the registration authority as if it was a server certificate application, see Identity verification options.
Three passwords are to be assigned during the certificate creation process:
Be sure to have knowledge of these.
1. Under "Nutzerzertifikat" select to apply for a "group certificate" on the DFN-PKI webpage.
2. Fill in the information pertaining to the certificate.
Group: A meaningful name for the e-mail address (it is automatically prefixed with "GRP -" in the subsequent step).
E-mail: The e-mail address for which the certificate shall apply.
Organisational Unit (OU): Full name of your RWTH institution (e.g.: IT Center, Chair of Computer Science 12).
Namespace: Here you can choose whether city and state should also be specified as part of the DN.
3. Fill in the information pertaining to the applicant.
Full name of the applicant: The name of the actual person submitting the application, as it appears on their identification document. This person must also submit the application to the registration authority.
E-mail of the applicant: Your own e-mail address.
Department: Full name of your RWTH institution (e.g.: IT Center, Chair of Software Construction).
Revocation PIN: The PIN is needed to revoke the received certificate if obsolete/compromised. Please keep this PIN in a safe place.
Personal note: This note will be saved in the .json file.
You must agree to comply to the regulations.
You may agree to the publication of the certificate.
You must agree to the processing of your personal data.
4. Save certificate application data file and assign a password for it.
Check submitted information and if correct select "Save certificate application data file (JSON)".
This step creates a .json file with the submitted information about the certificate and the applicant as well as the cryptographic keys (RSA keys) to the certificate.
The .json file is stored in encrypted format, you need to assign a password for this encryption. Prepare the .json password.
Enter the password with which the .json file will be encrypted.
You must keep the .json file and its password safe.
You will need both in order to "collect" the issued certificate.
5. Download certificate application form (PDF) and sign it.
Download certificate application form (PDF):
You need to submit or bring the printed .pdf file to the registration authority so that the personal identification of the applicant can take place.
Save and/or print the .pdf file. Read it, date it and sign it by hand.
As the contents of the application form (PDF file) are currently not displayed in English, here in short what you are agreeing to:
6. Submit application form in person and go through the required identity verification.
The DFN-PKI Certificate Policy mandates that the RWTH Registration Authority performs a personal identification of the applicant, for more details see Possible ways of identity verification in order to submit the certificate application form.
Here you can read how to "collect" the issued certificate, the process is analogous to a personal user certificate.
The certificate can only be "collected" by the person who
- has received the e-mail from the DFN-PKI
- has saved the .json file in step 4
- knows the password from step 4
- Receiving user certificate