DFN-PKI certificates at Forschungszentrum Jülich

The research centre uses the DFN-Verein Global Issuing CA (DFN-CA) to manage user and server certificates. These enable the use of cryptographic procedures to secure data transmission.

The DFN-Global-CA provides two categories of certificates (user & server certificates). Below you will get direct access to the application and participant service.

The JSC-Dispatch (building/room: 16.4 / 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: dispatch.jsc[at]fz-juelich.de, opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm) acts as an interface to the DFN-CA (subscriber service). The tasks of the Participant Service include, for example, authenticating the applicant using an official photo ID. Of course, the staff is also available to answer questions at any time.

Certificates of DFN Global-CA might be ordered for:

  • FZJ employees with a valid FZJ mail address v.name@fz-juelich.de
  • Function groups with valid function mail address. The applicant has to be the owner of the function mail address.
  • Servers in the JuNet.
  • External certificate holders, if the necessity arises from cooperation with Forschungszentrum Jülich. In this case, the name in the certificate must be preceded by EXT: (EXT: Gabi Mustermann).
  • Code Signing. In this case either a personal certificate, preferably a pseudonym certificate with a name of the form "PN: <first name last name> - CodeSigning", or a group certificate ("GRP: CodeSigning <group name>") has to be applied for.

Apply for a user certificate

The user certificates web interface provided by DFN-Verein supports the user

  • to generate a key pair
  • to complete a certificate application, that has to be signed and submitted in person to the subscriber service at the JSC (Dispatch) together with an official photo ID (ID card/passport). The authentication via video identification is possible, too.

Provided that the personal identification is not older than 39 months, it is sufficient to send the application to Dispatch (dispatch.jsc[at]fz-juelich.de) by mail or signed email.

The employees of the field offices can also carry out the personal identification on site in each case. The respective contact information is provided below on this page.

If all requirements are met, the participant service will initiate the creation of the certificate by the CA. The applicant will be informed of the completion by email. By means of a link in this email, the certificate can be imported into the browser with which the key pair has been generated.

To apply for your certificate you have to use either Firefox, Chrome, Microsoft Chromium Edge, or Safari. The use of Microsoft's own browsers Internet Explorer and Edge is NOT possible.

  • Go to the user certificates web interface.
  • Select User certificate
  • Enter your name, email address, (optionally) the abbreviation of your organizational unit, and the revocation PIN. The personal note is for your information only and can be omitted.
  • After clicking Next, you can check the application again and change it if necessary.
  • Clicking Save application file sends the application and creates a local backup file that must be saved.

    Attention: After uploading the application file Firefox asks in a pop-up window how to proceed with the application file. In this dialog, "Save file" must be explicitly marked before OK is pressed.
    Since this application file also contains the private key, it must be protected by a password. The download folder is defined in the browser settings.
  • With Download certificate application form (PDF) you will get the application form for printing or saving in the form of a PDF file. Submit this signed application form to the participant service in JSC-Dispatch either personal, via mail or via signed email (dispatch.jsc[at]fz-juelich.de).
  • Wait for the approval by the Participant Service & the completion of the certificate by the DFN-CA.
  • You will get an email by DFN-CA via a signed email from dfnpki-mailsender-noreply@dfn-cert.de once the certificate has been completed. This email contains web links, so please check your SPAM folder if necessary.
  • Please follow the link to your own certificate and select the application file you saved when applying. After entering the password, press Next.
  • With Save certificate file you now can generate a PKCS#12 file. In addition to the certificate, this file also contains the corresponding private key of the owner. It must therefore be protected with a strong password. The file can now be imported into the Windows certificate store in applications, e.g. in Thunderbird or for use with Outlook

Apply for server certificates

Server certificates are used for SSL encryption of network services like https, ldaps, imaps, ...

The following steps are required to generate a server certificate:

  • Generate a Certificate Signing Request (CSR). In some cases, the applications provide tools for generating this file; in other cases, the request must be generated using an OpenSSL command.
  • Submitting the Certificate Signing Request (CSR) to the CA using the web interface.
  • Transmission of the signed certificate request to the subscriber service (JSC Dispatch) by mail or signed email.
  • Afterwards the CA will send a link to the generated certificate by e-mail the applicant.

The Common Name (CN) and all requested Subject Alternative Names (SAN) has to be available in the JuNet database. The respective administrators of the servers stored in the JuNet database are authorized to apply.

The certification guideline of the DFN-CA specifies that the subject has to contain the following attributes:

  • C=DE
  • ST=Nordrhein-Westfalen
  • L=Juelich
  • O=Forschungszentrum Juelich GmbH
  • CN=(fully qualified name of the server)
  • EMail=(email address of the administrator)

Please be sure to observe the following instructions:

  • Please note upper and lower case.
  • Please do not use German umlauts and ß!

Creation of a Certificate Signing Requests (CSR)

To generate the CSR, you either use tools provided by the respective server software or you use the corresponding OpenSSL command:

openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Juelich/O=Forschungszentrum Juelich GmbH/CN=www.example.org"

If the request should contain additional Subject Alternative Names (SANs), you might use the following OpenSSL command:

openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Juelich/O=Forschungszentrum Juelich GmbH/CN=www.example.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName= DNS:www.example.org,DNS:example.org,DNS:www.example.net,DNS:example.net"))

After the generation of the RSA private key you will be asked to enter a password. This so-called "PEM pass phrase" protects the generated RSA private key from unauthorized access.

The OpenSSL quick reference of the DFN-Verein provides further assistance.

Application process of a server certificate

  • Create a Certificate Signing Request (see previous chapter).
  • Navigate to the server certificate request pages.
  • Upload the CSR as PKCS#10 certificate request (PEM formatted file)
  • Select the certificate profile (default: Web Server)
  • Enter your name, email address, (optionally) your organizational unit identifier, and revocation PIN.
  • After clicking Next, you can check the application again and make any necessary changes.
  • With Download certificate application form (PDF) you will receive the application form. Please sign this and send it to the Participant Service in JSC Dispatch either personal, by mail or by signed email (dispatch.jsc[at]fz-juelich.de).
  • Wait for the approval by the Participant Service and the completion of the certificate by the DFN-CA.
  • You will get an email by DFN-CA via a signed email from dfnpki-mailsender-noreply@dfn-cert.de once the certificate has been completed. This email contains web links, so please check your SPAM folder if necessary.
  • Save the certificate contained in the email in PEM format.
  • Create a PKCS#12 file with the key file generated in the CSR and the certificate sent by the CA (see next chapter).

Generate a PKCS#12 file from the private key and the associated certificate (PEM format)

With the OpenSSL command below, you can generate a PKCS#12 file (www.example.org.p12) from the private key (www.example.org-key.pem), the server certificate issued by the DFN-CA (signed-certificate.pem), and (optionally) the keychain (certificate-chain.pem). The keychain is the entire trust chain starting from the root certificate. If required, you can download it from the DFN-CA website.

openssl pkcs12 -export -inkey www.example.org-key.pem -certfile certificate-chain.pem -out www.example.org.p12 -in signed-certificate.pem

Subscriber Service

The Research Centre's Participant Service, which is part of the DFN-PKI, is located at JSC Dispatch.

JSC-Dispatch (building 16.4, room 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: dispatch.jsc[at]fz-juelich.de)

Opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm

The employees of the PTJ field offices can submit the participant declaration required for registration on site:

  • Contact in Berlin: +49 30 20199-460
  • Contact in Rostock: +49 381 20356-299

The same applies to employees in the JCNS field offices

  • Contact in Jülich: +49 2461 61 2498

Employees of the Helmholtz Institute Erlangen-Nuremberg (IEK-11) can contact the following telephone number:

  • Contact in Erlangen: +49 9131 85-20843

Employees of the Helmholtz Institute Münster (IEK-12) can contact the following telephone number:

  • Contact in Münster: +49 251 83-30008

Validity of the certificates

In the DFN-PKI, two classes of user or server certificates are available to FZJ employees: Global certificates and grid certificates.

Certificate class

User certificate

Server certificate

Global

3 years

13 months

Grid

1 year

1 year

Further information and instructions (in German)

Last Modified: 08.06.2022