On this page you will find information on DFN-Verein Community PKI public-key certificates.

The DFN-Verein Community PKI issues public-key certificates that are not anchored in any browser/operating system, i.e. it is a private PKI for public key cryptography.

Browser/operating system anchored PKIs, e.g. Harica or earlier Sectigo (GÉANT/TCS), issue certificates that are subject to the regulations of the CA/Browser Forum (https://cabforum.org/). These regulations are not necessarily optimal for all application scenarios, especially those where there is no user interaction (e.g. Sigle-Sign-On, LDAP query).

As an alternative the DFN-Verein has set up a NON browser/operating system based PKI, the "DFN-Verein Community PKI". Using this PKI offers the following advantages:

• longer certificate validity period
• no certificate revocation due to external constraints

However, since the root certificate required for validating the certificate chain is not pre-installed in the browser/operating system, the root certificate of the DFN-Verein Community PKI must be explicitly installed on each system that participates in the communication/validation.

The current default validity periods in the DFN-Verein Community PKI are:

• 1170 Days for server certificates (~ 38 months or ~ 3 years)
• 1825 Days for user certificates (5 years)

These certificates are especially attractive for:

• Shibboleth IdP/SP metadata
• internal systems such as databases or where the risks associated with a public PKI should be avoided
• 802.1X for network access
• Active Directories

The current application process for server certificates in the DFN-Verein Community PKI:

• use RA-Portal to submit your application and manage your server certificates
• the Namespace is "C=DE,ST=Nordrhein-Westfalen,L=Aachen,O=RWTH Aachen"
• one of three certificate profiles must to be selected in order to determine the values of the "X509v3 Extended Key Usage"
  • serverAuth (Web Server)
  • serverAuth, clientAuth (Shibboleth IdP SP)
  • serverAuth, clientAuth, KDC Authentication, smartcardLogon (Domain Controller)
• all currently valid server certificates in the DFN-Verein Community PKI can be administered in RA-Portal
• older server certificates, not applied for via RA-Portal, can not be renewed in RA-Portal as the CSR ist not available 
• not via RA-Portal applied for server certificates with profiles VoIP, LDAP or Radius have been imported into RA-Portal with the profile "Schibboleth IdP SP"
• all of the above can also be accomplished via the available API, check the inline documentation.

All other certificates (e.g. Code Signing) in the DFN-Verein Community PKI may still be applied for via the Webportal DFN-Verein Community PKI. Please contact ra@rwth-aachen.de for further information on how to submit your application to the RWTH Registration Authority. 

The DFN PCA provides the following documentation:

• Description of the available certificate profiles
• Certification Policy of the DFN-Verein Community PKI

Additional information:

• Web Interface to the DFN-Verein Community PKI.