FAQ - Public Key Certificates
Some Android smartphones may not be able to establish a secure connection to your institution's mail server or RWTH using the Gmail application. This may be due to missing intermediate SSL certificates on your smartphone. You can download these here and manually install them on your device.
| Certificate | Serial Number | File in DER format (binary encoding) for Android, Windows | File in PEM format (Base64-ASCII encoding) for Linux |
| Root Certificate Harica (SSL with RSA key) | 0 (0x0) | 01-harica-root-rsa.der | 01-harica-root-rsa.pem |
| Intermediate Harica Certificate (SSL with RSA key) | 2a:60:86:d4:d4:de:45:c9:5e:4b:98:fb:bf:2f:bf:26 | 02-harica-intermediate-rsa.der | 02-harica-intermediate-rsa.pem |
| Intermediate GÉANT Certificate (SSL with RSA key) | 14:d5:7b:f3:69:22:28:21:9a:55:67:fa:91:65:1b:22 | 03-geant-intermediate-rsa.der | 03-geant-intermediate-rsa.pem |
last changed on 03/19/2025
Please make sure that the required root certificate has been configured. Multiple root certificates are required at RWTH Aachen University, because certificates from multiple issuers are in use.
The "USERTrust RSA Certification Authority" root certificate is installed by default in Adobe and will lead to the result "INVALID" when checking a GÉANT user certificate. This certificate must be removed from the list of trusted certificates. It is recommended to remove all pre-installed certificates.
last changed on 05/05/2026
To digitally sign emails or documents, please follow these steps:
- Request a user certificate
- Integrate the user certificate into your email application or Adobe Acrobat.
last changed on 05/05/2026
- Your network contact persons enter your organisational email address into the RA-Portal and "send" you a challenge email.
- You receive the challenge email (from ra-portal-noreply@itc.rwth-aachen.de) at your work email address.
- Follow the URL in the challenge email and login to the RA-Portal, in order to confirm your email address.
- Your email address will now be displayed in the RA-Portal and you can apply for a user certificate.
This process is also described in the second step of the guide User certificates RA-Portal.
If you leave your organisation (department, chair, etc), you might lose the right to apply for further user certificates or your existing certificates may be revoked, by your network contact person.
last changed on 05/05/2026
When installing your user certificate in Windows, you can choose to enable strong private key protection. The consequence of this setting is that you are asked to enter your Windows CryptoAPI password every time you try to digitally sign a document or an email.
This security setting is intended to protect you from unauthorised use of your application to digitally sign stuff, e.g. should you have forgotten to lock your screen when you step away from your computer. So, assuming your are consistently taking all measures to protect your computer from unauthorised use, you might wish to get rid of the high security setting. To do that you need to import your user certificate (.p12-file) again into Windows by using either the Windows Certificate Import Assistent or your Edge browser:
If you choose to use your Windows Certificate Import Assistent, please follow this manual.
If you choose to use your Edge browser:
- Select settings in the Edge browser and select Privacy, search, and services on the left
- Scroll down until you reach the Security section. Click on the button next to Manage certificates
- You can now select and import your certificate (.p12-file) using the dialogue window
- While importing your certificate, make sure NOT to enable strong private key protection
After importing your user certificate as above, the pop-up should no longer be displayed in the relevant applications.
last changed on 05/05/2026
This problem occurs when Outlook uses the signature algorithm SHA1, which is deprecated.
This problem can only be solved by the sender. The sender needs to configure their Outlook to use signature algorithm SHA256.
last changed on 01/25/2024
Please note that an import via the Outlook app is generally NOT possible.
You can also use your user certificate on your smartphone:
Android
- Locate the certificate file in the file manager of your smartphone and open it.
- If the certificate is protected by a password, enter it before extracting the security key.
- Android will then show you the certificate name and the data it contains. Click on "OK" to import the certificate. You can then use it under Android.
You can find the imported certificate under Settings - Biometric data and security - Other security settings - User certificates
To install the user certificate on iOS, please follow these instructions.
last changed on 05/05/2026
To send an encrypted message, you need the recipient's public key. The easiest way to do this is to reply directly to a signed email (“handshake”). Otherwise, the recipient must be saved as a contact from a signed email or selected from an integrated LDAP address book.
If you are still unable to send encrypted messages to a contact, please check whether any old address books are still integrated. These may contain different data for the contact. If necessary, remove the old address book and restart your email program.
last changed on 08/05/2025