Introduction to digital certificates

A digital certificate is part of a cryptographic procedure to electronically identify a person. It uses a digital cryptographic signature to bind together a public key with an identity — information such as the name of the owner and the organization he belongs to. With help of a digital certificate one can sign emails or one can log in to a portal — if the email program or portal is certificate aware.

Our certificates consist of a public and a private part. By using the public key, everyone can encrypt data for the owner of the private key, check his signature and authenticate him. The private key enables its owner to create digital signatures, prove his identity and decrypt data that has been encrypted for him. Usually the public key is published after creation — e.g. on a key-server.

Since everyone can create key pairs with nearly any contents, there has to be one more component to guarantee the identity of the key owner. Therefore the owners public key is signed by the so called Certificate Authority (CA). The corresponding Registration Authority (RA) proves the identity of the owner, e.g. by checking the owners identity card. The electronic signature of the CA can be checked the same way by the public key of the CA. The authenticity of the CA is checked by the sign of the next higher CA instance. This is repeated until one reaches the highest root certificate. If one now trusts the provider of the root certificate as well as the chain of certificates, one can now identify a person electronically. This chain of certificates is also called the "Chain of Trust".

Please protect your private keys

If someone else gets in possession of your key he can write emails signed with your name or he can log in to your account at portals and servers. Therefore it is vitally important to protect your private key as much as possible.

For one thing you should use good passwords to protect the keystore. The keystore is the location where your keys are stored. Without your password nobody can get your keys out of the keystore.

You should store your private key at a safe location - e.g. on your private USB stick or even better on a crypto stick. Public home directories provided by Unix NFS- or Windows Active directory servers are not suitable locations to store a certificate. Unfortunately it is sometimes necessary to store a certificate at a less secure location. For example if you are using our pool computers storing your certificate in the Firefox keystore, it will end up at our NFS home server (Linux pools) or at our Active directory server (Windows pools). In this case it is even more important to protect the keystore with a good password.

If your certificate gets compromised despite all precautions, one can revoke the certificate. Usually this is done at the same place where you applied for the certificate. All deactivated certificates are published by the certificate authority in so called "Certificate Revocation Lists" (CRLs). All systems with proper configuration (e.g. Email programs, portal server, login server) consult the CRLs while checking certificates.

Loosing your private key or forgetting the keystore password immediately leads to data loss of all files and emails, that have been encrypted with your public key. Therefore you should definitively create a backup of your private and public key (best use pkcs12-format with ending .p12) as soon as you have imported your signed public key.

We issue DFN Global and Grid certificates

Within the DFN (Deutsches-Forschungs-Netz) infrastructure our registration authority issues certificates of type "Global" and "Grid". Please note that signs by these certificates are NOT legally binding.

The Global certificates are valid for 3 years. Usually they are used for signing Emails. The advantage of the Global certificates lies in the availability of the key chain in most modern browsers and email programs. Therefore the identity check usually works automatically for any email sender. The key chain of the DFN Global certificates originates from the root certificate "Deutsche Telekom Root CA 2". If you want to apply for a Global certificate, please read our documentation at "DFN Global Certificates".

In contrast the key chain of the DFN Grid certificates is not part of any browser or email program. The user has to import the key chain manually into each program. Grid certificates are valid for one year only and are used in context of Grid- and High-Performance-Computing (HPC) only. If you want to apply for a Grid Certificate, please read our documentation at "DFN Grid Certificates".