direkt zum Inhalt springen

direkt zum Hauptnavigationsmenü

Sie sind hier

TU Berlin

Page Content

Registration Authority (RA) of TUB-CA

The trustcenter of TU Berlin takes care of the tasks of a signed registration authority (RA) for TUB-CA and TUB e-mail CA. This especially includes the authentication for participants. (Currently no other RAs for TUB-CA are planned)


Certificates for secured e-mails are not provided seperately since the introduction of the TU campus card since the keys and certficates stored on the card are employed.

From version 7 of MS IE and Version 3 of Mozialla Firefox the certificates of the registration authorities subordinant to TUB-CA are preinstalled so that our new certificates can be installed without callback. For the use with older or other browsers you can import the subordinated certificates using our public PKI Server by selecting the tab "CA-Zertifikate".

If your browser does not allow a TLS connection, you can download the certificates using an unsecured connection:
Root Certificate
DFN-PCA Certificate
TUB-CA Certificate
Certificate Chain 

Search Certificates

For validation or encrypted communication, you require the certificate of the communication partner. The public PKI portal of TUB-CA allows you to look for published certificates of PKI participants by entering their name or e-mail address. Look for certificates nowhttps://pki.pca.dfn.de/tu-berlin-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=search_cert;id=1;menu_item=3&RA_ID=0

This service is only available for TLS/SSL Server Certificates issued by TUB-CA.

Backlists (CRLs) and Call-Back of Certificates of TUB-CA

If you need to issue a call-back for your certificate because it has been compromised or due to the loss of your private key, you can use the public PKI portal of TUB-CA. You require the call-back PIN for the call-back.

The public PKI portal also grants insight to the blacklists.

Instructions for Server Certificates

Step 1: Introduction

With a server certificate your server will be accredited by a trustworthy instance. This allows users to validate the authenticity of the server unambigously. The trustcenter of Technische Universität Berlin provides TLS certification of servers for all administrators of TU departments.

Step 2: Preparation

TLS certificates are issued by TUB-CA based on the certification policy of DFN and TUB. You can find both policies on the public PKI-Server of TUB using the menu option "Policies". Please read the policies carefully. The certification policies and requirements to the certificate user described there contain statements about the quality of the issued certificates.

Step 3: Creation of a Key Pair and Creation of a Certificate Signing Request (CSR)

You have to create a key pair for your server yourself. The key length has to be at least 2048 bit (RSA). The public key of the key pair will be submitted to TUB-CA for certification within a so-called signing request.

These rules apply for the choice of the complete server name (distinguished name, DN):


  • Certificates for www servers have to contain a distinct host name for the attribute "cn="
  • This attribute may not contain wildcards or numeric IP addresses
  • The optional attribute "email=" should contain a valid, function related e-mail address such as the server administrator's address.
  • For servers in the area of TUB-CA the name is:

c=DE,st=Berlin,l=Berlin,o=Technische Universitaet Berlin,
cn=<complete computer name>,
email=<E-Mail-Address of Server-Admin>

For Windows servers we recommend using the wizard (Internet Service Manager) for the creation of the signing request.

For all other Systems we recommend the tool OpenSSL. 

Instructions for the use of OpenSSL within DFN-PKI (Source: DFN e.V.)

Step 4: Requesting a New Certificate at TUB-CA

The public PKI server of TUB-CA provides all important features which are related to certification. Here you can submit your certificate signing request and submit your request file created in step 3.

Public PKI-Server

As second step sign the participation agreement printed out during request procedure and present it to registration authority of TUB-CA in person. Please bring an ID and an accreditation letter of your institute identifying you as server administrator with you.

Appointment via phone: 314-24383 or 314-24229
tubIT, Technische Universität Berlin
Einsteinufer 17
10587 Berlin

Step 5: Add the certificate and private key to your server

After the procession of your signing request TUB-CA will send a notification e-mail with your certificate as attachment. The file containing the certificate has to be installed in the run-time environment of your server.

For Windows Server we recommend using the wizard (administrative tools, internet service manager) for the installation of the certificate Iinstructions for OpenSSL (RRZN of Uni-Hannover)

Alternatively Uni Freiburg provides isntructions for the request creation using the Java keytool Instructions for Java Keytool (Uni Freiburg).

Certification Policies and Explanations about Signing Operations

A certification policy (CP) defines the rules which one or multiple certification authorities comply with. The certification authority of Technische Universität Berlin formulates its certification policy in a way that the „Zertifizierungsrichtlinie der Public Key Infrastruktur im Deutschen Forschungsnetz – Global, Classic, Basic“ (certification policy of public key instrastructure of German Research Network - global, classic, basic) is applied. 
A statement about the certification practice describes the methods which are employed to apply the terms of a certification policy. The certification authority of TU Berlin complies with the „Erklärung zum Zertifizierungsbetrieb der Public Key Infrastruktur im Deutschen Forschungsnetz – Global, Classic, Basic “.

The content of both documents is extended with own specifications by the „Erklärung zum Zertifizierungsbetrieb der TUB-CA in der DFN-PKI“ (statement about the certification practice of TUB-CA in DFN-PKI)


Certification Policy of DFN-PKI - Security Levels: Global, Classic, Basic -

Statement about the Certification Practive of the highest Certification Authority of DFN-PKI - Security Levels: Global, Classic, Basic

Statement about the Certification Practive of TUB-CA in DFN-PKI -
Security Level: Global

Zusatzinformationen / Extras

Quick Access:

Schnellnavigation zur Seite über Nummerneingabe