Electronic Signature - Public Key Infrastructure (PKI)
Table of contents
From 11.08.2022: No more video identity checks as part of the certificate application process
From 01.02.2020, the creation of user certificates for all TUD employees is possible via EVAZERT using the self-service portal Self Service Portal.
Creation via EVAZERT is generally recommended because it is easy to use and paperless. With EVAZERT you can manage your certificates yourself in the self-service portal.
This service is not available for UKD employees.
Certificates for guest and function logins and server certificates can still only be created via the DFN-PKI.
General
Since 1 February 2017, DFN has been issuing certificates based on the root certificate "T-TeleSec GlobalRoot Class 2".
The address to be used: https://pki.pca.dfn.de/tu-dresden-g2-ca/cgi-bin/pub/pki
Since Juli 2006 the ZIH takes part in the PKI (Public Key Infrastructure) of the German Science Network as a registration authority and displays advanced certificates based on the X.509 standard. Applicable are the certification rules of the DFN-PKI for a global security level.
User certificates
User certificates offer you many fields of application at a high security level. They are used, for example, for the digital signature or the encryption of e-mails. The validity period is 36 months.
You can find the necessary information here:
- Information about user certificates
- Basic configuration of e-mail clients for the use of DFN PKI certificates
- Cofiguration of e-mail clients for the automatic installation of certificates of the DFN PKI LDAP directory service
- Configuration of e-mail clients for the digital signing of e-mails
- Recommended alternative to Adobe
- Signing PDF under Linux (Okular)
- Configuration of e-mail clients for the encryption of e-mails
Application for certificates
Via the sites of the TU Dresden CA users can apply for server certificates, lock certificates or search for them. When applying for a certificate, please fill in the web-form completely and follow the instructions in your browser. Print out your certificate application afterwards. Get a certification for this certificate from the ZIH user helpdesk. You need to show a valid ID dard. Generally, you will receive your submitted certificate within a few work days via e-mail from the DFN-CERT.
Please mind the following:
- A certification of user certificates is only possible for e-mail adresses within the domain 'tu-dresden.de'. Users from the TU Dresden are able to choose a branch they belong to under <branch> in the web form.
- A group certificate is applied for if functional e-mail addresses are certified. Here, for example, sekretariat-institut@tu-dresden.de is written in the field "E-Mail", in the field "Name" the function is to be entered in this form "GRP:Sekretariat-Institut". Only the registered contact person (with valid identity check) can apply for such a group certificate for the respective login.
- Authentication:
- ask your local admin
- centrally: at the Service Desk
- An identity authentication is valid for 39 months.
- Regarding server certificates, the PKCS#10 certificate application (.PEM file) has to be created by the server admin and embetted in the application. Only security certificates with a completely qualified DNS-entry under "CN=" and which are located in the TU Dresden IP adress space (141.30.0.0 und 141.76.0.0) will be certified. For an easier creation of the certificate application with OpenSSL, find a configuration file here.
Info from DFN: "In the course of 27 August 2020, the DFN-PKI will adjust the configuration so that newly issued server certificates have a validity period of 397 days. The 397 days are a SHOULD rule of the CA/Browser Forum". - Only original applications will be accepted.
- First applications will only be accepted in conjunction with the personally signed print out after the authentication.
- Follow-up applications can be signed with a valid digital signature and transmitted electronically to the Service Desk, provided that the identity is authenticated. Hand-signed applications will only be processed when the original print-out is handed in.
- Applications for certificates are valid for 6 months. It is not possible to process any application arriving outside this time limit.
Certificate Renewal
Important note: Please keep your old certificate, otherwise all data encrypted with it, e.g. e-mails, will no longer be readable!
In order to continue using all applications and services that are based on this certificate, you must apply for a new certificate:
1. For personal identification when renewing a digital certificate, please see one of the following IT contact persons:
|
IT-contact person |
Structural unit |
Contact |
|
Mr. Marco Barthel |
Dean´s Office Faculty of Business and Economics |
Tel.: +49 351 463 32843 |
|
Dr. Matthias Lohse |
Head of Faculty of Economics Computing Laboratory |
Tel.: +49 351 463 32792 |
|
Mr. Andreas Matthus |
Dean´s Office Faculty of Architecture |
Tel.: +49 351 463 33909 |
|
Mr. Daniel Henzen |
Dean´s Office Faculty of Environmental Sciences |
Tel.: +49 351 463 39275 / +49 351 463 31303 |
|
Mr. Andreas Gläser |
IT Service Team Central University Administration / University Executive Board |
Tel.: +49 351 463 35457 |
|
Mr. Christian Nitsch |
IT Service Team Central University Administration / University Executive Board |
Tel.: +49 351 463 32131 |
|
Mr. Michael Wilengowski |
IT Service Team Central University Administration / University Executive Board |
Tel.: +49 351 463 39102 |
2. You will receive a letter with the PIN for the renewal of your certificate. For personal identification, please bring a valid official identification document (identity card or passport) with you.
3. Please use the PIN when applying for a digital certificate via application form in the Self Service Portal.
If your last personal identification by a person authorised to verify your identity was not more than 39 months ago, please proceed using the instructions described under 3. and use the PIN that you received in the latest letter. If you do not have your PIN anymore, proceed as described in steps 1 to 3.
You can view the status of your identity check in the Self Service Portal under Profile in the "Master Data" section.
Important note: Please keep your old certificate, otherwise all encrypted data, such as emails, will no longer be readable!
In order to continue using all applications and services that are based on this certificate, you must apply for a new certificate:
1. Open the website
https://pki.pca.dfn.de/tu-dresden-g2-ca/pub
2. Apply for a new certificate via the website as for the initial application and print out the generated certificate application. If you need further information, you will find a user guide under the menu item "Help".
3. Sign the certificate application and submit it personally to the Service Desk or to your authorised administrator.
In the case of renewal of a user certificate, your last personal identification by the subscriber service must not be older than 39 months. In the Self Service Portal, you can view the status of your identity check under Profile in the "Account information" section:
- "Identity verified" = "No":
Submit the application form personally to the Service Desk or to your authorised administrator. The administrator will then identify you again on the basis of your valid ID document. - "Identity verified" = "Yes, ...":
Submit the application directly to the Service Desk (digitally signed by email or manually signed by in-house mail/in person).
In any case, your new certificate will be sent to you by email.
Important note: Please keep your old certificate, otherwise all encrypted data, such as emails, are no longer readable!
FAQ
Further Information: PKI FAQ.
Links to DFN-PKI
Here you find all information for certification within the new DFN-PKI-certification hierarchies:
- Informationen about DFN-PKI
- Information about the TU Dresden CA
- Retrieval of certificates issued until January 31st 2017
- Retrieval of certificates issued from February 1st 2017