Certificates
The Structure of the Certificate Hierarchy
1. German Telecom Root Certification CA 2: This authority’s root certificate confirms the DFN-PKI (CA) certificate to the security level Global G01. The root certificate has been previously installed in all Windows operating systems, and therefore all Microsoft applications. This is also true for all Mozilla Firefox versions 3.0.12 and above as well Mozilla Thunderbird versions 2.0.0.23 and above.
2. German Research Network (DFN) private key certification service (overseen by DFN-Union): The certification of this intermediate authority is attested by German Telecom’s root authority and includes certification of all derived certificates, as well as that of Freiburg University’s CA.
3. Freiburg University’s Certification Authority (overseen by DFN-Union): This authorities certificates are certified by the DFN authority, including certification of all derived certificates.
4. Freiburg University’s Certification Authority’s Registration Authority (overseen by the University IT Services): This body identifies all applicants and approves any sought-after certificates.
Freiburg University’s operating procedure is available under the following documents (available only in German):
- Policies der DFN-PKI
- CPS der Uni-FR CA: Clarification of Freiburg University’s Certification Authority’s operating procedure in the public key infrastructure of the German Research Network.
Root Certification, DFN-CA certificates and Freiburg University CA
In order to take advantage of the Freiburg University’s website or e-mail certification (and before applying for your own certificate), you must install a root authority in your computer’s system from the certificate saver.
If you would like to obtain certification, please see the following link:
pki.pca.dfn.de/uni-freiburg-ca-g2/pub
Typically, you use the (binary) DER format to import the certificate into a Web browser.
By comparing fingerprints, you can see with your own eyes whether a server’s certification is valid.
Every browser has its own certification database where certificates are stored. But this also means a certificate imported through Mozilla does not apply to MS Internet Explorer. In the same way, certificates imported by Mozilla Firefox cannot be used for other purposes, even Mozilla Thunderbird does not recognize it.
Internet Explorer, on the other hand, has the exception of distributing the certificate to all other Microsoft Programs such as Outlook and Outlook Express.
The following instructions to importing (german) these certificate chains shows the basic way to import certificates, allowing you to identify yourself with a specific certification.
How to become certified
Application
Here we will show you how you can personally sign a certification and/or apply via e-mail through the S/MIME method.
- You can also see the wiki page "User-Zertifikat beantragen". (only available in German)
- The application procedure takes place in a simple way through a Freiburg University web address made available through the DFN-PCA.
The key length requires a minimum of 2048 bit. - Please refrain from using any country-specific keys when typing in your user name by following these rules:
Allowed symbols: a-z A-Z 0-9 ' ( ) + , - . / : = ? space key
Please write Germanic exceptions as such (ä → ae, Ä → Ae, ß → ss and so on.)
Do not use any other letter keys with accents - The application procedure ends with a printed form, which we kindly ask you to fill out completely and bring it to the University IT Services. Please make a prior appointment per e-mail or telephone (pay attention to our hours of operation!).
Note: Certificate applications that are older than 3 months will be controlled and deleted in the following 3 month period.
Personal Identification
Please come to the University IT Services with a valid personal identification or passport to show to the Certification contact person.
If you are certifying a server, please bring your institute’s confirmation letter that proves you are indeed the server’s administrator.
The application will be immediately approved unless there are grounds to deny it. Freiburg University’s CA will send this certification via e-mail and you will have it within a couple minutes.
How to extend certification
- Personal certificates are valid for 3 years after approval and server certificates are valid for 2 years and 3 months.
- 15-30 days before a certificate’s termination, the certificate holder will receive a notification e-mail which also includes an explanation for how to renew the certificate.
A short summary of how to extend a certificate follows (with signature):
1. Go to Freiburg University’s CA website and fill out a new application with all the details of the previous application.
2. Please print the completed application, fill in the remaining information by hand and sign the form.
3. You can send the signed application to the University IT Services through the University’s internal post system or you can make an appointment to come in personally. If you are applying for a server certificate renewal, please send along a certification that you are in fact the administrator of your institute’s server and allowed to manage the server, if this was not the case previously. After submission, the University IT Services confirms the signature by comparing it to the old application, and will decide if the application can be approved.
4. A positive result means that you will be certified as previously.
5. If there is a negative result, the University IT Services will directly contact the applicant.
Attention: Please keep your old certificates. You need it to encrypt the old data (such as mails).
Certificate Termination
You can terminate your certificate if you fear your personal key has been spied out and used by an unregistered user. Another reason to terminate a certificate would be in the case of losing the personal key, which may have resulted from your computer’s crashing or re-installation.
If your decide to terminate your certification, your certificate will be added to the list of so-called Certificate Revocation List (CRL). This list includes the serial numbers of all certificates that have been terminated before their natural expiration date.
You can find your serial number in the e-mail you received from the University IT Services with the original set-up of the certificate. If you are unable to find your serial number, you can go to the CA’s website under „Zertifikat suchen,” enter your e-mail address (for user certificates) or the server name (for server certificates). You will then find a list of serial numbers where you can search for your certificate’s information.
After you have sent your serial number along with the reason for early termination, you will be asked for your PIN that you entered as you were originally applying for the certificate. Without this PIN you will be unable to terminate your certificate and will need to seek out help from the Point of Contact in the University IT Services.
If your request has been approves, the registration authority is automatically informed and will terminate the certificate.
Thereafter the certificate along with its serial number will appear in the publicly accessible list of terminated certificates of the DFN Union and can be seen by diverse web clients, browsers and e-mail programs.
How to install the list of terminated certificates
With your browser, please go to the website of the list of terminated certificates and install the list. Thereafter your browser will recognize any foreign or terminated certificates. This list is automatically updated.
In order to import this list into your certificate application, please click on the list of terminated certificates located on the screen. This page will also allow you import not only the list of terminated certificates from security level “global,” but also the list from the “basic” level.
For further advice and copied monitor screens, go to the terminated certificates website to find the collection of links to further documents.
Contact
The Certification Authority can be found in our building in the Hermann-Herder-Str. 10.
For more contact information, please read here.