You are located in service: Public Key Certificates

DFN-Verein Community PKI

DFN-Verein Community PKI

information

On this page you will find information on DFN-Verein Community PKI public-key certificates.

The DFN-Verein Community PKI issues public-key certificates that are not anchored in any browser/operating system, i.e. it is a private PKI for public key cryptography.

Browser/operating system anchored PKIs, e.g. Harica or earlier Sectigo (GÉANT/TCS), issue certificates that are subject to the regulations of the CA/Browser Forum (https://cabforum.org/). These regulations are not necessarily optimal for all application scenarios, especially those where there is no user interaction (e.g. Sigle-Sign-On, LDAP query).

As an alternative the DFN-Verein has set up a NON browser/operating system based PKI, the DFN-Verein Community PKI. Using this PKI offers the following advantages:

  • longer certificate validity period
  • no certificate revocation due to external constraints

However, since the root certificate required for validating the certificate chain is not pre-installed in the browser/operating system, the root certificate of the DFN-Verein Community PKI must be explicitly installed on each system that participates in the communication/validation.

The current default validity periods in the DFN-Verein Community PKI are:

  • 1170 Days for server certificates (~ 38 months or ~ 3 years)
  • 1825 Days for user certificates (5 years)

These certificates are especially attractive for:

  • Shibboleth IdP/SP metadata
  • internal systems such as databases or where the risks associated with a public PKI should be avoided
  • 802.1X for network access
  • Active Directories

The current application process for server certificates in the DFN-Verein Community PKI:

  • use RA-Portal to submit your application and manage your server certificates
  • the Namespace is C=DE,ST=Nordrhein-Westfalen,L=Aachen,O=RWTH Aachen
  • one of three certificate profiles must to be selected in order to determine the values of the "X509v3 Extended Key Usage"
    • serverAuth (Web Server)
    • serverAuth, clientAuth (Shibboleth IdP SP)
    • serverAuth, clientAuth, KDC Authentication, smartcardLogon (Domain Controller)
  • all currently valid server certificates in the DFN-Verein Community PKI can be administered in RA-Portal
  • older server certificates, not applied for via RA-Portal, can not be renewed in RA-Portal as the CSR ist not available 
  • not via RA-Portal applied for server certificates with profiles VoIP, LDAP or Radius have been imported into RA-Portal with the profile Shibboleth IdP SP
  • all of the above can also be accomplished via the available API, this option is only available though to registered network contact persons.

All other certificates (e.g. Code Signing) in the DFN-Verein Community PKI may still be applied for via the Webportal DFN-Verein Community PKI. Please contact ra@rwth-aachen.de for further information on how to submit your application to the RWTH Registration Authority. 

 

The DFN PCA provides the following documentation:


Additional information:

last changed on 07/09/2026

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License