GÉANT TCS certificates at Forschungszentrum Jülich

Table of Contents

Apply for a user certificate
Certificate application process
Apply for a server certificate
Creation of a Certificate Signing Requests (CSR)
Generate a PKCS#12 file from the private key and the associated certificate (PEM format)
Subscriber Service
Validity of the certificates

A detailed certificate documentation is available in the intranet at https://intranet.fz-juelich.de/en/organization/it-portal/software_services/infrastructure/certificates

Apply for a user certificate

The JSC Office for User Services (building/room: 16.4 / 201, phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de, opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm) acts as an interface to the DFN-CA (subscriber service). The tasks of the participant service include, for example, authenticating the applicant using an official photo ID. The staff is also available to answer questions at any time.

User certificates of GÉANT TCS might be ordered for: 

  • FZJ employees with a valid FZJ mail address v.name@fz-juelich.de
  • Function groups with valid function mail address. The applicant has to be the owner of the function mail address

Certificate application process

  • Send an informal email to the JSC Office for User Services (user-services.jsc@fz-juelich.de) and ask for an user certificate. You do not have to send any signed form anymore
  • In the case of user certificates, a personal authentication of the applicant at the JSC Office for User Services is required for the first application. The JSC Office for User Services is obliged to check your identity card.
    You will be informed via email if an authentication is necessary. If so, this can be done personally or via video ident

Apply for a server certificate

SSL server certificates are used for SSL encryption of network services like https, ldaps, imaps. FZJ uses the GÉANT TCS service to get server certificates.

The following steps are required to generate a server certificate:

The Certficate Signing Request has to contain the following attributes:

  • C=DE
  • ST=Nordrhein-Westfalen
  • O=Forschungszentrum Juelich GmbH
  • CN=(fully qualified name of the server)
  • EMail=(email address of the administrator)

Creation of a Certificate Signing Requests (CSR)

The Certficate Signing Request has to contain the following attributes:

  • C=DE
  • ST=Nordrhein-Westfalen
  • O=Forschungszentrum Juelich GmbH
  • CN=(fully qualified name of the server)
  • EMail=(email address of the administrator)

    • Please be sure to observe the following instructions:

  • Please note upper and lower case.
  • Please do not use German umlauts and ß!

    • To generate the CSR, you either use tools provided by the respective server software or you use the corresponding OpenSSL command:

    openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=Forschungszentrum Juelich GmbH/CN=www.example.org"

    If the request should contain additional Subject Alternative Names (SANs), you might use the following OpenSSL command:

    openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=Forschungszentrum Juelich GmbH/CN=www.example.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName= DNS:www.example.org,DNS:example.org,DNS:www.example.net,DNS:example.net"))

    After the generation of the RSA private key you will be asked to enter a password. This so-called "PEM pass phrase" protects the generated RSA private key from unauthorized access.

    The OpenSSL quick reference of the DFN-Verein provides further assistance.

    Generate a PKCS#12 file from the private key and the associated certificate (PEM format)

    With the OpenSSL command below, you can generate a PKCS#12 file (www.example.org.p12) from the private key (www.example.org-key.pem), the server certificate issued by the DFN-CA (signed-certificate.pem), and (optionally) the keychain (certificate-chain.pem). The keychain is the entire trust chain starting from the root certificate. If required, you can download it from the DFN-CA website.

    openssl pkcs12 -export -inkey www.example.org-key.pem -certfile certificate-chain.pem -out www.example.org.p12 -in signed-certificate.pem

    Subscriber Service

    The Research Centre's Participant Service, which is part of the GÉANT TCS, is located at JSC Office for User Services.

    JSC Office for User Services (building 16.4, room 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de)

    Opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm

    The employees of the PTJ field offices can submit the participant declaration required for registration on site:

    • Contact in Bonn: +49 228 60884-254 und +49 228 60884-201
    • Contact in Berlin: +49 30 20199-460, +49 3020199-3444, oder +49 3020199-3429
    • Contact in Rostock: +49 381 20356-299

    The same applies to employees in the JCNS field offices

    • Contact in Jülich: +49 2461 61 2498

    Employees of the Helmholtz Institute Erlangen-Nuremberg (IEK-11) can contact the following telephone number:

    • Contact in Erlangen: +49 9131-12538205

    Employees of the Helmholtz Institute Münster (IEK-12) can contact the following telephone number:

    • Contact in Münster: +49 251 83-30008

    Employees of the INM Düsseldorf can contact the following telephone number:

    • Contakt in Düsseldorf: +49 2461 61 9167

    Validity of the certificates

    Certificate class

    User certificate

    Server certificate

    GÉANT TCS

    2 years

    1 year

    Grid (DFN PKI)

    1 year

    1 year

    Last Modified: 09.01.2025