You are located in service: Certificates

Integrate the certificate into the server

Integrate the certificate into the server

Receipt of the server certificate

After the RWTH Registration Authority has received your application (.pdf-file), the certification process will be initiated. Upon completion of this process, you will receive your server certificate as a PEM formatted file via signed email from the "".

E-Mail wit the certificate

Integration of the server certificate

You need:

  • the received certificate file
  • the generated and saved RSA key pair file (private.pem)
  • the certificate chain (not the root certificate "T-TeleSec GlobalRoot Class 2",  but the two intermediates "DFN-Verein Certification Authority 2" and "DFN-Verein Global Issuing CA")

Depending on the server software used, however, these files may need to be converted into other formats.

If the certificate is required in ASCII format, i.e. as a PEM file, the conversion from the original binary format DER is done as follows:

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem


Apache uses PEM formatted key parts, so you can easily integrate your key parts. In the "httpd.conf" the following points are especially important:

    • SSLCertificateFile:
      Your server certificate, as you received it by e-mail
    • SSLCertificateKeyFile:
      Your private key part, as you created it in step "Generating the RSA key pair
    • SSLCertificateChainFile:
      The complete certification chain as PEM formatted file


Like Apache, lighttpd uses key components in PEM format, so no format conversions are necessary. In the configuration, the following points are particularly important:

    • ssl.engine = "enable"
    • ssl.pemfile:
    • Combination of the private key part ("private.pem" from step "Generation of the RSA key pair") and the server certificate received by e-mail. (e.g. via "cat private.pem cert-<serial number>.pem > server.pem")
      The complete certification chain as PEM formatted file

Microsoft IIS

In order to use your certificate, the three root certificates must first be integrated in binary format (please open the following links with InternetExplorer for import ,DFN-Verein Global Issuing CADFN-Verein Certification Authority 2T-TeleSec GlobalRoot Class 2. Afterwards a "pkcs12" file must be created from your private key part and your server certificate. This can be done with OpenSSL:

openssl pkcs12 -export -in cert-<Seriennummer>.pem –inkey private.pem -out Ihre_neue_PKCS12_Datei.p12 -name "My Certificate"

Use the server certificate issued by the DFN-PKI as "cert-<serial number>.pem". The file "private.pem" must correspond to your private key part from step "Generate the RSA key pair". The newly created file "Your_new_PKCS12_file.p12" can then be imported into your server software.

last changed on 06/30/2022

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License