FAQ - Public Key Certificates

Digital signatures are checked according to two criteria:

• Where they are mathematically (cryptographically) correct
• Where the user certificate of the signee is subordinated to a trusted root certificate
  • The certificate chain must be in the form user certificate: intermediate certificate: root certificate
  • The root certificate must be installed in the application (and be trusted by the application)

The pre-installed root certificates depend on the application. An installation of Adobe Acrobat will include some common root certificates, such as those for Firefox, Outlook, Chrome, Edge etc. It does not, however, include either of the two root certificates commonly used by users at RWTH Aachen University:

• Neither the root certificate of DFN-PKI Global (T-Telesec GlobalRoot Class 2)
• nor the root certificate of GÉANT/TCS (AAA Certificate Services)

If you need an application, such as Adobe, to trust digital signatures from members of RWTH Aachen University (show them in green), then the application must be configured accordingly.

Please follow our instructions for configuring trusted certificates to do this (currently only available in German).

Please note: The "USERTrust RSA Certification Authority" root certificate is installed by default in Adobe and will lead to the result "INVALID" when checking a GÉANT user certificate. This certificate must be removed from the list of trusted certificates as described in the above instructions.

If your Adobe Acrobat has not been configured correctly, the digital signature will be shown as "INVALID" during its validation. The Signature Properties will state that "The signer's identity is invalid".

Since the introduction of the new GÉANT/TCS certification authority in August 2023, all RWTH users who wish to validate digitally signed documents need to update their installed certificates in the Adobe Acrobat certificate store. Currently, most users are still using the old DFN-PKI user certificates, but new GÉANT/TCS certificates are becoming increasingly common. If either of those two root certificates is missing, the respective digital signatures will be shown as invalid.

In order to be able to digitally sign emails or documents, you need cryptographic keys. Or more simply, you need an user certificate (Public Key or S/MIME or X.509) and an application (e.g. Outlook, Thunderbird, Adobe etc) that is configured to use this certificate and its associated cryptographic keys.

How do you get a user certificate at the RWTH?

• If you are a student or an employee, just login to the RA-Portal and apply for a client certificate in the GÉANT/TCS PKI. Need user instructions?
• If you have no access to the RWTH intranet, then you are not able to reach the RA-Portal and can hence not apply for a user certificate.
• If you already have a DFN-PKI user certificate, just continue using that until it expires. 

Here a quick overview for Windows users:

• Apply for and download your user certificate:  User certificates RA-Portal
• Import your user certificate (and the associated cryptographic keys): Importing your own .p12 file into the Windows certificate store
• Configure your application:
  • Outlook
  • Adobe Acrobat (user guide in German)

After completing the above steps, you can use Outlook to digitally sign emails and Adobe Acrobat to digitally sign PDF files.

You can find manuals for additional applications in the section "Uses for Public Key Certificates".

When installing your user certificate in Windows (i.e. when you import your .p12-file), you can choose to enable "strong private key protection". The consequence of this setting is that you are asked to enter your "Windows CryptoAPI" password every time you try to digitally sign a document or an email. 

This security setting is intended to protect you from unauthorised use of your application to digitally sign stuff, e.g. should you have forgotten to lock your screen when you step away from your computer. So, assuming your are consistently taking all measures to protect your computer from unauthorised use, you might wish to get rid of the high security setting. To do that you need to import your user certificate (.p12-file) again into Windows by using either the Windows "Certificate Import Assistent" or your Edge browser:

If you choose to use your Windows Certificate Import Assistent, just find your .p12-File and follow the known instructions.

If you choose to use your Edge browser:

1. Select “settings” in the Edge browser and select “Privacy, search, and services” on the left
2. Scroll down until you reach the “Security” section. Click on the button next to “Manage certificates”
3. You can now select and import your certificate (.p12-file) using the dialogue window
4. While importing your certificate, make sure NOT to enable "strong private key protection” (it's th first tick box).

After importing your user certificate as above, the pop-up should no longer be displayed in the relevant applications.

You can also use your user certificate on your smartphone:

Android

• Locate the certificate file in the file manager of your smartphone and open it.
• If the certificate is protected by a password, enter it before extracting the security key.
• Android will then show you the certificate name and the data it contains. Click on "OK" to import the certificate. You can then use it under Android.

You can find the imported certificate under Settings - Biometric data and security - Other security settings - User certificates

Apple:

• User certificates must be imported into the certificate manager on iOS devices.
• To do this, send the p12 file as an attachment via e-mail and open it in the browser via OWA.
• After the import, the certificate should be displayed under "Settings → VPN and device management".

Please note that an import via the Outlook app is generally NOT possible.