You are located in service: Certificates

Procedures for User Certificates

Procedures for User Certificates




  • You are a member of the RWTH Aachen University.


  • If you need an RSA-Key longer than 2k, then please use OpenSSL to create your Keys.

Apply for a User Certificate

You apply by visiting the DFN-PKI Webpage. The instructions you need can be found here:


Personal Identification of the Applicant

The DFN-PKI Certificate Policy mandates that the RWTH Registration Authority perform a personal identification of the applicant, for more details go to "Possible Ways of Identity Verification".

Receiving your User Certificate

  • You receive your certificate in a digitally signed e-mail from "".
  • In this e-mail you are instructed to "import" your user certificate into the browser where you generated the application. What needs to be done, depends on which browser you used, so please go back to the instructions linked above.
  • You should keep a backup copy of your RSA key pair with the corresponding certificate in the form of a p12-file in a safe place. All browsers but IE, force you to create this file during the import process.

Please note:

In case your email domain is not whitelisted (everything outside, you will receive a signed email from the "", follow the steps outlined in this email to confirm your email address.

How to use your DFN-PKI User Certificate

The user certificate can be used for the following purposes

  • to digitally sign and/or encrypt e-mails
  • client authentication on web applications
  • to digitally sign and/or encrypt documents

Validity Period of Certificate

  • The default validity period of the user certificates issued by the DFN-PKI is 3 years.
  • If you need a shorter validity period, please write this on the participant's declaration.

User Certificate Expiration

  • Your standard user certificate is valid for three years. Four and two weeks prior to it's expiry, you will receive an email informing you of the upcoming expiry date, and you will be directed to the webpage where you can apply for a new certificate.
  • After your certificate has expired, you will not be able to send digitally signed emails. You will also not be able to receive encrypted emails.
  • However, be aware that you need to keep all your old and expired certificates in your email program in order to be able to read old emails that were sent to you in encrypted form.
  • If you migrate to a new email application or get new HW, make sure to export all your certificates as .p12 files and import them in your new environment, in order to be able to read old encrypted emails and continue to send signed emails.

last changed on 12/16/2022

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License