You are located in service: Public Key Certificates

When to use the DFN-Verein Community PKI

When to use the DFN-Verein Community PKI


The DFN-Verein Community PKI issues public-key certificates that are not anchored in the browser/operating system, i.e. it is a private PKI for public key cryptography.


Browser/operating system anchored PKIs, e.g. DFN-PKI Global or GÉANT/TCS, issue certificates that are subject to the regulations of the CA/Browser Forum ( These regulations are not necessarily optimal for all application scenarios, especially those where there is no user interaction (e.g. URL or VPN-Login).

As an alternative the DFN-Verein has set up a NON browser/operating system based PKI, the "DFN-Verein Community PKI". Using this PKI offers the following advantages:

  • longer certificate validity period
  • no certificate revocation due to external constraints

However, since the root certificate required for validating the certificate chain is not pre-installed in the browser/operating system, the root certificate ( of the DFN-Verein Community PKI must be explicitly installed on each system that participates in the communication/validation.

The current default validity periods in the DFN-Verein Community PKI are:

  • 1170 Days for server certificates (~ 38 months or ~ 3 years)
  • 1825 Days for user certificates (5 years)

These certificates are especially attractive for:

  • Shibboleth IdP/SP metadata (
  • internal systems such as database or where the risks of public PKI should be avoided
  • 802.1X for network access
  • Active Directories

The application process is similar to that for the well known DFN-PKI Global:

  • request a certificate (either directly via CSR (PKCS#10, please note that the namespace is "C=DE,ST=Nordrhein-Westfalen,L=Aachen,O=RWTH Aachen")
  • or let your browser generate the RSA keys, with JSON-file export
  • and assign a revocation PIN
  • submit the certificate application (generated PDF document, digitally signed by applicant, and sent it to with a short explanation of why you chose the Community PKI)
  • receive certificate issue e-mail with URL, download certificate or generate an export file (PKCS#12) using the saved JSON-file in own browser

Certificate revocation occurs:

  • either by the certificate applicant online, by entering certificate serial number and previously assigned revocation PIN
  • or by sending a digitally signed e-mail to, requesting the revocation, including the serial number of the certificate


The DFN PCA provides the following documentation:



The DFN-Verein Community PKI can be accessed under the following web interface:


last changed on 04/24/2024

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License