Information and Instructions about Certificates
- Registration Authority (RA) of TUB-CA
- Search Certificates
- Backlists (CRLs) and Call-Back of Certificates of TUB-CA
- Instructions for Server Certificates
- Certification Policies and Explanations about Signing Operations
- Request of a User/Server Certificate of Grid-CA of DFN-PKI
Registration Authority (RA) of TUB-CA
The trustcenter of TU Berlin takes care of the tasks of a signed registration authority (RA) for TUB-CA and TUB e-mail CA. This especially includes the authentication for participants. (Currently no other RAs for TUB-CA are planned)
Certificates for secured e-mails are not provided seperately since the introduction of the TU campus card since the keys and certficates stored on the card are employed.
From version 7 of MS IE and Version 3 of Mozialla Firefox the certificates of the registration authorities subordinant to TUB-CA are preinstalled so that our new certificates can be installed without callback. For the use with older or other browsers you can import the subordinated certificates using our public PKI Server  by selecting the tab "CA-Zertifikate".
If your browser does not allow a TLS connection, you can download
the certificates using an unsecured connection:
Root Certificate 
DFN-PCA Certificate 
TUB-CA Certificate 
Certificate Chain 
For validation or encrypted communication, you require the certificate of the communication partner. The public PKI portal of TUB-CA allows you to look for published certificates of PKI participants by entering their name or e-mail address. Look for certificates now https://pki.pca.dfn.de/tu-berlin-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=search_cert;id=1;menu_item=3&RA_ID=0 
This service is only available for TLS/SSL Server Certificates issued by TUB-CA.
Backlists (CRLs) and Call-Back of Certificates of TUB-CA
If you need to issue a call-back for your certificate because it has been compromised or due to the loss of your private key, you can use the public PKI portal of TUB-CA. You require the call-back PIN for the call-back.
The public PKI portal also grants insight to the blacklists.
- Call-Back 
- Blacklists 
Instructions for Server Certificates
Step 1: Introduction
With a server certificate your server will be accredited by a trustworthy instance. This allows users to validate the authenticity of the server unambigously. The trustcenter of Technische Universität Berlin provides TLS certification of servers for all administrators of TU departments.
Step 2: Preparation
TLS certificates are issued by TUB-CA based on the certification policy of DFN and TUB. You can find both policies on the public PKI-Server  of TUB using the menu option "Policies". Please read the policies carefully. The certification policies and requirements to the certificate user described there contain statements about the quality of the issued certificates.
Step 3: Creation of a Key Pair and Creation of a Certificate Signing Request (CSR)
You have to create a key pair for your server yourself. The key length has to be at least 2048 bit (RSA). The public key of the key pair will be submitted to TUB-CA for certification within a so-called signing request.
These rules apply for the choice of the complete server name (distinguished name, DN):
- Certificates for www servers have to contain a distinct host name for the attribute "cn="
- This attribute may not contain wildcards or numeric IP addresses
- The optional attribute "email=" should contain a valid, function related e-mail address such as the server administrator's address.
- For servers in the area of TUB-CA the name is:
cn=<complete computer name>,
email=<E-Mail-Address of Server-Admin>
For Windows servers we recommend using the wizard (Internet Service Manager) for the creation of the signing request.
Instructions for the request generation with OpenSSL (RRZN of Uni-Hannover) 
Step 4: Requesting a New Certificate at TUB-CA
The public PKI server of TUB-CA provides all important features which are related to certification. Here you can submit your certificate signing request and submit your request file created in step 3.
Public PKI-Server 
Appointment via phone: 314-24383 or 314-24229
E-Mail: email@example.com 
tubIT, Technische Universität Berlin
Step 5: Add the certificate and private key to your server
After the procession of your signing request TUB-CA will send a notification e-mail with your certificate as attachment. The file containing the certificate has to be installed in the run-time environment of your server.
For Windows Server we recommend using the wizard (administrative tools, internet service manager) for the installation of the certificate Iinstructions for OpenSSL (RRZN of Uni-Hannover) 
Alternatively Uni Freiburg provides isntructions for the request creation using the Java keytool Instructions for Java Keytool (Uni Freiburg) .
Certification Policies and Explanations about Signing Operations
A certification policy
(CP) defines the rules which one or multiple certification authorities
comply with. The certification authority of Technische Universität
Berlin formulates its certification policy in a way that the
„Zertifizierungsrichtlinie der Public Key Infrastruktur im Deutschen
Forschungsnetz – Global, Classic, Basic“ (certification policy of
public key instrastructure of German Research Network - global,
classic, basic) is applied.
A statement about the certification practice describes the methods which are employed to apply the terms of a certification policy. The certification authority of TU Berlin complies with the „Erklärung zum Zertifizierungsbetrieb der Public Key Infrastruktur im Deutschen Forschungsnetz – Global, Classic, Basic “.
The content of both documents is extended with own specifications by the „Erklärung zum Zertifizierungsbetrieb der TUB-CA in der DFN-PKI“ (statement about the certification practice of TUB-CA in DFN-PKI)
Certification Policy of DFN-PKI - Security Levels: Global, Classic, Basic - 
Statement about the Certification Practive of the highest Certification Authority of DFN-PKI - Security Levels: Global, Classic, Basic 
Statement about the Certification Practive of TUB-CA
in DFN-PKI -
Security Level: Global 
Request of a User/Server Certificate of Grid-CA of DFN-PKI
The trustcenter of TU also functions as a registration authority (RA) of Grid-CA within DFN-PKI. Grid certificates of DFN-PKI can be requested for:
- TUB employees with provisioned tubIT account
- Server in TU network
Please read the policies of DFN Grid-CA before requesting on their website .
Requesting user certificates: Go to the webseite of Grid-RA
The web interface provided by DFN will help you creating a key pair and a participation document. You will have to complete and sign the form and present it together with your personal ID/passport/campus card at the registration authority in the trustcenter (E-N 007, ph. 24383). If everything is correct the Grid-RA will initiate the certification of your public key. The issued certificate will be sent to you via e-mail. The installation of the certficiate in the browser used to create the keychain is explained in the e-mail.
If you need the private key outside this browser too, please proceed as follows:
- export the certificate including the private key into a file in #PKCS12 formate, e.g. "certkey.p12" - this can be done automatically depending on the export feature of the employed browser
- extract the key with a suitable tool such as
openssl pkcs12 -in cert.p12 -nocerts -out key.pem
Now the private key is available in the file key.pem
Request of server
certificates: Go to the website of Grid-RA .
Now proceed as described in the instructions for server certificates .
Altering from these instructions choose the distinguished server name as follows:
- OU=Technische Universitaet Berlin
- [OU=(Organisational Unit)]
- CN=(full qualified server name)
- EMail=(E-Mail address of the administrator)
Attributes in square brackets [..]
The completed and signed participation agreement has to be presented at registration authority together with a campus card/personal ID/passport (E-N 007, ph. 24383).
If everything is correct, Grid-CA will initiate the certification of your public key. The issued certificate will be sent to you via e-mail.
For the installation please follow the instructions provided in the e-mail.