The DFN-Verein Community PKI issues public-key certificates that are not anchored in the browser/operating system, i.e. it is a private PKI for public key cryptography.

Browser/operating system anchored PKIs, e.g. DFN-PKI Global or GÉANT/TCS, issue certificates that are subject to the regulations of the CA/Browser Forum (https://cabforum.org/). These regulations are not necessarily optimal for all application scenarios, especially those where there is no user interaction (e.g. URL or VPN-Login).

As an alternative the DFN-Verein has set up a NON browser/operating system based PKI, the "DFN-Verein Community PKI". Using this PKI offers the following advantages:

• longer certificate validity period
• no certificate revocation due to external constraints

However, since the root certificate required for validating the certificate chain is not pre-installed in the browser/operating system, the root certificate (https://doku.tid.dfn.de/de:dfnpki:dfnpki_root_certs#dfn-verein_community_pki) of the DFN-Verein Community PKI must be explicitly installed on each system that participates in the communication/validation.

The current default validity periods in the DFN-Verein Community PKI are:

• 1170 Days for server certificates (~ 38 months or ~ 3 years)
• 1825 Days for user certificates (5 years)

These certificates are especially attractive for:

• Shibboleth IdP/SP metadata (https://doku.tid.dfn.de/de:certificates#eigene_lokale_ca)
• internal systems such as database or where the risks of public PKI should be avoided
• 802.1X for network access
• Active Directories

The application process is similar to that for the well known DFN-PKI Global:

• request a certificate (either directly via CSR (PKCS#10, please note that the namespace is "C=DE,ST=Nordrhein-Westfalen,L=Aachen,O=RWTH Aachen")
• or let your browser generate the RSA keys, with JSON-file export
• and assign a revocation PIN
• submit the certificate application (generated PDF document, digitally signed by applicant, and sent it to ra@rwth-aachen.de with a short explanation of why you chose the Community PKI)
• receive certificate issue e-mail with URL, download certificate or generate an export file (PKCS#12) using the saved JSON-file in own browser

Certificate revocation occurs:

• either by the certificate applicant online, by entering certificate serial number and previously assigned revocation PIN
• or by sending a digitally signed e-mail to ra@rwth-aachen.de, requesting the revocation, including the serial number of the certificate

The DFN PCA provides the following documentation:

• Description of the possible certificate profiles (https://www.pki.dfn.de/fileadmin/PKI/anleitungen/DFN-PKI-Zertifikatprofile_Global.pdf)
• Certification Policy of the DFN-Verein Community PKI (https://www.pki.dfn.de/fileadmin/PKI/DFN-Verein_Community_PKI_CPS.pdf)

The DFN-Verein Community PKI can be accessed under the following web interface: https://pki.pca.dfn.de/dfn-pki/dfn-verein-community-ca/3550/