FAQ - Public Key Certificates
Digital signatures are checked according to two criteria:
- Where they are mathematically (cryptographically) correct
- Where the user certificate of the signee is subordinated to a trusted root certificate
- The certificate chain must be in the form user certificate: intermediate certificate: root certificate
- The root certificate must be installed in the application (and be trusted by the application)
The pre-installed root certificates depend on the application. An installation of Adobe Acrobat will include some common root certificates, such as those for Firefox, Outlook, Chrome, Edge etc. It does not, however, include either of the two root certificates commonly used by users at RWTH Aachen University:
- Neither the root certificate of DFN-PKI Global (T-Telesec GlobalRoot Class 2)
- nor the root certificate of GÉANT/TCS (AAA Certificate Services)
If you need an application, such as Adobe, to trust digital signatures from members of RWTH Aachen University (show them in green), then the application must be configured accordingly.
Please follow our instructions for configuring trusted certificates to do this (currently only available in German).
Please note: The "USERTrust RSA Certification Authority" root certificate is installed by default in Adobe and will lead to the result "INVALID" when checking a GÉANT user certificate. This certificate must be removed from the list of trusted certificates as described in the above instructions.
If your Adobe Acrobat has not been configured correctly, the digital signature will be shown as "INVALID" during its validation. The Signature Properties will state that "The signer's identity is invalid".
Since the introduction of the new GÉANT/TCS certification authority in August 2023, all RWTH users who wish to validate digitally signed documents need to update their installed certificates in the Adobe Acrobat certificate store. Currently, most users are still using the old DFN-PKI user certificates, but new GÉANT/TCS certificates are becoming increasingly common. If either of those two root certificates is missing, the respective digital signatures will be shown as invalid.
last changed on 09.02.2024
In order to be able to digitally sign emails or documents, you need cryptographic keys. Or more simply, you need an user certificate (Public Key or S/MIME or X.509) and an application (e.g. Outlook, Thunderbird, Adobe etc) that is configured to use this certificate and its associated cryptographic keys.
How do you get a user certificate at the RWTH?
- If you are a student or an employee, just login to the RA-Portal and apply for a client certificate in the GÉANT/TCS PKI. Need user instructions?
- If you have no access to the RWTH intranet, then you are not able to reach the RA-Portal and can hence not apply for a user certificate.
- If you already have a DFN-PKI user certificate, just continue using that until it expires.
Here a quick overview for Windows users:
- Apply for and download your user certificate: User certificates RA-Portal
- Import your user certificate (and the associated cryptographic keys): Importing your own .p12 file into the Windows certificate store
- Configure your application:
After completing the above steps, you can use Outlook to digitally sign emails and Adobe Acrobat to digitally sign PDF files.
You can find manuals for additional applications in the section "Uses for Public Key Certificates".
last changed on 16.11.2023
- Your network contact persons enter your organisational email address into the RA-Portal and "send" you a challenge email.
- You receive the challenge email (from email@example.com) at your work email address.
- Follow the URL in the challenge email and login to the RA-Portal, in order to confirm your email address.
- Your email address will now be displayed in the RA-Portal and you can apply for a user certificate.
This process is also described in the second step of the guide User certificates RA-Portal.
If you leave your organisation (department, chair, etc), you might lose the right to apply for further user certificates or your existing certificates may be revoked, by your network contact person.
last changed on 22.01.2024
When installing your user certificate in Windows (i.e. when you import your .p12-file), you can choose to enable "strong private key protection". The consequence of this setting is that you are asked to enter your "Windows CryptoAPI" password every time you try to digitally sign a document or an email.
This security setting is intended to protect you from unauthorised use of your application to digitally sign stuff, e.g. should you have forgotten to lock your screen when you step away from your computer. So, assuming your are consistently taking all measures to protect your computer from unauthorised use, you might wish to get rid of the high security setting. To do that you need to import your user certificate (.p12-file) again into Windows by using either the Windows "Certificate Import Assistent" or your Edge browser:
If you choose to use your Windows Certificate Import Assistent, just find your .p12-File and follow the known instructions.
If you choose to use your Edge browser:
- Select “settings” in the Edge browser and select “Privacy, search, and services” on the left
- Scroll down until you reach the “Security” section. Click on the button next to “Manage certificates”
- You can now select and import your certificate (.p12-file) using the dialogue window
- While importing your certificate, make sure NOT to enable "strong private key protection” (it's th first tick box).
After importing your user certificate as above, the pop-up should no longer be displayed in the relevant applications.
last changed on 24.01.2024
This problem occurs when Outlook uses the signature algorithm SHA1, which is deprecated.
This problem can only be solved by the sender. The sender needs to configure their Outlook to use signature algorithm SHA256.
last changed on 25.01.2024