RZG Registration Authority

Users of the Rechenzentrum Garching can obtain client certificates issued by the DFN under two different policies, the Grid policy and/or Global (MPG CA) policy. Please refer to http://www.pki.dfn.de for further details (in german) about the public key infrastructures provided by the DFN-Verein, and http://ca.mpg.de for additional information about the MPG CA under the DFN Global PKI.

Concerning Grid infrastructures (e.g. DEISA, PRACE, D-GRID, LCG) and related applications, so-called Grid certificates are usually required. These Grid certificates are issued by CAs that are member of the EU Grid PMA. 

RZG-Users at Greifswald/Germany can obtain DFN Grid- and MPG CA certificates via the RA (Heike Schürmann, ) at the Max Planck Institute for Plasmaphysics. See here for further information. 

Purpose of Certificates:

Certificates are means for Authentication (AuthN) and as such can be used for Authorization (AuthZ). Based on the trustworthiness of the certificate issuer (Certificate Authority, CA), the certificate's identifier - the certificate's subject (DN) - is assumed to identify the corresponsing entity unambiguously. Such an entity can be a user (human), an agent (process) or a server which are administered by a human who are the certificate owner, i.e. only this person is allowed have access to the private key that complements the certificate. The certificate's subject (as the unique identifier, DN) is tied to the public key as an inherent part of the certificate.

Certificates are used for

• email signing
• email encryption:
  the GWDG DFN-ldap Wikipage provides details about how to configure the DFN ldap in your mail client, which is important if encrypted mails are sent to multiple mail recipients. 
• accessing services (that accept certificates for AuthN/AuthZ)

More about certificates used and supported at IPP (IPP intranet). 

The role of the RZG Registration Authority (RZG RA) at the Rechenzentrum Garching

• to identify the requestor of a certificate by means of his/her valid national identity document
• to check whether the identity of the user is consistent with the subject of the digital certificate signing request and the corresponding printed application form
• to check the uniqueness and correctness of the subject (distinguished name) of the certificate in the name space assigned to the RZG RA
• to confirm against the DFN CA that the identity of the requestor and the corresponding application has been verified
• to support RZG users concerning the certificate request or revocation procedure and to provide advice concerning the DFN CA or MPG CA policies as well as the handling of user certificates, private keys, CA certificates and truststores.

Users of the Rechenzentrum Garching can apply for a personal DFN Grid or DFN Global certificate using the corresponding web interface:

Please note that the RA is not notified just by submitting the electronic application form. It is necessary to hand over the corresponding printed application form, either personally (especially if the application is filed for the first time) or send it to the responsible RA via mail. 

The RZG RA contact persons accredited for DFN Grid certificates are:

The RZG RA contact persons accredited by the MPG CA for MPG CA / DFN Global certificates are:

Description of the procedure for obtaining a user certificate

Please apply your x.509 user certificate using the electronic form via the website of the DFN Grid CA or for DFN Global CA, depending on what kind of certificate is needed. Please fill in the form using the tab "Zertifikatantrag für Nutzer".
After having filled the form and the checkboxes signed, you can commit the application. In the following a private/public keypair is created and the public key is submitted with your electronic application to the DFN CA. Your private key remains in your browser directory.

Please print out the application form after the electronic form has been submitted and fill in the requested details. Please sign the form.

1. In order to get your application processed, please visit one of the contact persons for the corresponding CA in order to handover your signed application form.
   According to the DFN CA policies, the RA has to check the passport of the applicant, so please have your passport or ID card with you.
2. After the certificate has been handed over, the RA will commit your application and you will get your certificate electronically sent within one day (usually).
3. Your certificate is delivered via email. You will find a link in it. When clicking this link your certificate will be silently imported into your browser. This of course works only if you use the same browser that you used for creating your application.

Importing/Export user certificate

If you want to use your certificate (+private key) in other contexts that with your browser (e.g. eMail client, Globus middleware), or if you have to migrate your personal certificate from one browser to another, you can export your certificate with the corresponding private key alltogether into a keystore (typically in PKCS12 format, file extension is .p12).

This keystore can then be further processed (e.g.,the Java keytool or using openssl).

CA root certificates

Root certificates are self-signed certificates of the root authority and as such the fundament of trust of a PKI. The person who has a root certificate installed in his browser or email-Client is trusting that the CA can organisationally and practically make sure that the unique id, the certifcate subject, of an issued certicate remains unique within the PKI. The private keys must not be compromised by an unauthorized entity. The person is trusting also that the CA makes sure by organisational measures that the certificate holder are carefully identified and that their identy is unambiguously mapped to the certificate subject.