GÉANT TCS certificates at Forschungszentrum Jülich

Apply for a user certificate

S/MIME user certificates will be issued by the GÉANT TCS certification authority and not by DFN PKI anymore. DFN certificates, that have been issued before August, 29 2023 will still be valid.

The JSC Office for User Services (building/room: 16.4 / 201, phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de, opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm) acts as an interface to the DFN-CA (subscriber service). The tasks of the participant service include, for example, authenticating the applicant using an official photo ID. The staff is also available to answer questions at any time.

User certificates of GÉANT TCS might be ordered for: 

• FZJ employees with a valid FZJ mail address v.name@fz-juelich.de
• Function groups with valid function mail address. The applicant has to be the owner of the function mail address

Certificate application process

• Send an informal email to the JSC Office for User Services (user-services.jsc@fz-juelich.de) and ask for an user certificate. You do not have to send any signed form anymore
• In the case of user certificates, a personal authentication of the applicant at the JSC Office for User Services is required for the first application. The JSC Office for User Services is obliged to check your identity card.
  You will be informed via email if an authentication is necessary. If so, this can be done personally or via video ident
• After successful authentication you will get an unsigned email from Sectigo Certificate Manager (support@cert-manager.com) with the subject "Your Email Invitation Request"
• Open this email and click on "Verify Email Address"
• You will be forwarded to the „Client Certificate Enrollment“ form
• Please do not change the predefined values
• It is not possible to put any academical degree into the certificate
• Accept the certification policy at the end of the form ("I have read and agree to the terms of the Sectigo Client Certificate EULA" -> ACCEPT)
• By clicking on “Submit” your personal certificate will be generated. This process might last a couple of minutes. Please do not close the browser window during this time
• After the certificate has been generated, the key protection algorithm has to be changed from „Secure AES256-SHA256“ to „Compatible TripleDES-SHA1“
• Due to compatibility problems on Windows and MacOS systems
• Attention: please ignore the “This algorithm is older, slower and vulnerable to bruteforce”
• You have to set "PKCS#12 Password" for your certificate and "Confirm PKCS#12 Password"
• By clicking on “Download” your certificate will be downloaded and stored into the default download folder of your operating system. This might also last a couple of minutes
• If your certificate has been downloaded, it will be shown in the Sectigo Certificate Manager as well
• Go to the standard download folder of your operating system and double click on the generated .p12 file to import your certificate to the keychain management application of your operating system. Your operating system will guide you through the further steps
• After that you can import your certificate to your email application

Apply for a server certificate

SSL server certificates are used for SSL encryption of network services like https, ldaps, imaps. FZJ uses the GÉANT TCS service to get server certificates.

The following steps are required to generate a server certificate:

• Generate a Certificate Signing Request (CSR). In some cases, the applications provide tools for generating this file; in other cases, the request must be generated using an OpenSSL command.
• Submitting the Certificate Signing Request (CSR) to the CA using the web interface.
• Transmission of the signed certificate request to the subscriber service (JSC Office for User Services) by mail or signed email.
• Afterwards the CA will send a link to the generated certificate by e-mail the applicant.

The Common Name (CN) and all requested Subject Alternative Names (SAN) has to be available in the JuNet database. The respective administrators of the servers stored in the JuNet database are authorized to apply.

The Certficate Signing Request has to contain the following attributes:

• C=DE
• ST=Nordrhein-Westfalen
• O=Forschungszentrum Juelich GmbH
• CN=(fully qualified name of the server)
• EMail=(email address of the administrator)

Creation of a Certificate Signing Requests (CSR)

The Certficate Signing Request has to contain the following attributes:

Please be sure to observe the following instructions:

To generate the CSR, you either use tools provided by the respective server software or you use the corresponding OpenSSL command:

openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=Forschungszentrum Juelich GmbH/CN=www.example.org"

If the request should contain additional Subject Alternative Names (SANs), you might use the following OpenSSL command:

openssl req -newkey rsa:4096 -sha256 -keyout www.example.org-key.pem -out www.example.org-csr.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=Forschungszentrum Juelich GmbH/CN=www.example.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName= DNS:www.example.org,DNS:example.org,DNS:www.example.net,DNS:example.net"))

After the generation of the RSA private key you will be asked to enter a password. This so-called "PEM pass phrase" protects the generated RSA private key from unauthorized access.

The OpenSSL quick reference of the DFN-Verein provides further assistance.

Certificate application process

• Create a Certificate Signing Request (see previous FAQ)
• Go to the server certificate request pages
• The authentification is managed by the Research Centre Jülich central identity provider
• Choose at Your Institution Forschungszentrum Jülich GmbH (FZJ) and provide your user information
• You will be forwarded to the SECTIGO Certificate Managers pages. Please wait until the page has been loaded completely. If you have already applied for GÉANT TCS server certificates, you will find them there.
• Go to Enroll Certificate
• You will be forwarded to the SSL Certificate Enrollment page. Please ignore the Enroll with Access Code
• Go to Select Enrollment Account and select Forschungszentrum Jülich GmbH as Account
• The certificate profile OV Multi-Domain contains already all common server certificate profiles, as LDAP-Server, Shibboleth IdP SP, Mail Server, Radius Server, VPN Server, ...
• With Upload CSR provide your CSR in PKCS#10 format. You might provide additional Subject Alternative Names (SANS)
• In the External Requesters field you might provide additional email addresses
• Choose Auto Renew, if the CSR should be uploaded automatically in case of the certificate expiration
• With Submit your CSR will be uploaded to GÉANT TCS. You will be forwarded to the SECTIGO Certificate Manager pages. You will find your certificate application there. After the user service will have issued your certificate you might download your certificate from there. Additionally you will get an email with your certificate from support@cert-manager.com
• In most cases the download as Certificate only, PEM encoded will be sufficient. Damit wird das einzelne Zertifikat in einer Datei heruntergeladen oder der Download als as Certificate (w/ issuer after), PEM encoded. Diese Datei enthält zusätzlich zu dem Zertifikat auch noch die Zertifikatskette.
• Download certificate chain (see also the DFN pages)
• Finally, create a PKCS#12 file (see next FAQ)

Generate a PKCS#12 file from the private key and the associated certificate (PEM format)

With the OpenSSL command below, you can generate a PKCS#12 file (www.example.org.p12) from the private key (www.example.org-key.pem), the server certificate issued by the DFN-CA (signed-certificate.pem), and (optionally) the keychain (certificate-chain.pem). The keychain is the entire trust chain starting from the root certificate. If required, you can download it from the DFN-CA website.

openssl pkcs12 -export -inkey www.example.org-key.pem -certfile certificate-chain.pem -out www.example.org.p12 -in signed-certificate.pem

Subscriber Service

The Research Centre's Participant Service, which is part of the GÉANT TCS, is located at JSC Office for User Services.

JSC Office for User Services (building 16.4, room 201 - "Rotunde/Erdgeschoss", phone: +49 2461 61 5642, email: user-services.jsc[at]fz-juelich.de)

Opening hours: Mon. - Fri.: 9:00am - 11:30am, additionally Thurs.: 1:30pm - 4:00pm

The employees of the PTJ field offices can submit the participant declaration required for registration on site:

• Contact in Bonn: +49 228 60884-254 und +49 228 60884-201
• Contact in Berlin: +49 30 20199-460, +49 3020199-3444, oder +49 3020199-3429
• Contact in Rostock: +49 381 20356-299

The same applies to employees in the JCNS field offices

• Contact in Jülich: +49 2461 61 2498

Employees of the Helmholtz Institute Erlangen-Nuremberg (IEK-11) can contact the following telephone number:

• Contact in Erlangen: +49 9131-12538205

Employees of the Helmholtz Institute Münster (IEK-12) can contact the following telephone number:

• Contact in Münster: +49 251 83-30008

Employees of the INM Düsseldorf can contact the following telephone number:

• Contakt in Düsseldorf: +49 2461 61 9167

Validity of the certificates

Further information and instructions (in German)

• Einsatz von X.509v3-Zertifikaten im FZJ (TKI-0365: ein Überblick, PDF)
• Informationen für Zertifikatinhaber in der DFN-PKI
• FAQ Zertifikate (DFN)
• OpenSSL-Kurzreferenz (DFN)