Yesterday, August 15, 2023, the RA portal (ra-portal.itc.rwth-aachen.de) was additionally enabled for the issuance of user certificates in the GÉANT/TCS (PKI). From August 30, 2023, it will no longer be possible to apply for new user certificates via DFN-PKI Global, as it will cease operation. Until August 29, 2023, there will thus be parallel operation with the well-known “DFN-PKI Global” service. All certificates issued until then will nevertheless retain their validity status for a maximum of 3 years after certificate issuance. In this blog post you can find out what tasks will now arise for IT administrators.
Which E-Mail Domain is in Question?
There are two types of e-mail domains for requesting user certificates via GÉANT/TCS (PKI):
For e-mail addresses with the domain @rwth-aachen.de, users can request their user certificates independently in the RA portal. The authorization of each user with these e-mail addresses is automatically queried via the Identity Management. This eliminates the need for personal appearance and identity check on site at the IT-ServiceDesk.
For work-related e-mail addresses, such as name@itc.rwth-aachen.de, the entry of these addresses in the RA portal must be carried out by the IT administrators of the respective institution. We have provided useful instructions for this on IT Center Help. Only after the registration of the corresponding e-mail address in the RA portal has taken place and the users have confirmed this e-mail address, employees of RWTH Aachen University can request their user certificate.
Functions in the RA Portal for IT Administrators
In the RA portal, the IT administrators of your institutions also have the possibility to manage the user certificates for e-mail addresses of their institution. This allows them to determine who can request a certificate for a functional mailbox, trigger confirmation e-mails to new mailboxes, or donate certificates from block certificates of employees who have left the organization.
In order to be able to manage the e-mail addresses of one’s own institution under the new RA portal tab “My e-mail domains”, one must belong to the primary contact person group for the respective domain. The contact persons can be seen in the NOC portal.
Changeover on the LDAP Server (ldappv.rwth-aachen.de)
Neither the GÉANT/TCS nor the DFN operate an LDAP server (address book) for the user certificates of the GÉANT/TCS. Since RWTH Aachen University already has its own LDAP server as a directory of persons, a separate branch for user certificates of RWTH will be created there. In the new LDAP branch
“o=RWTH Aachen University,ou=GEANT/TCS,dc=rwth-aachen,dc=en”
all valid user certificates are included.
The server ldappv.rwth-aachen.de is only accessible within the RWTH network. Only three results are delivered per search. You can search for common name, e-mail address or last name. All three fields are filled from the subject of the user certificate. Using an LDAP server with user certificates as an address book in one’s own e-mail application allows e-mails to be exchanged in encrypted form without a prior handshake. This means that it is not necessary to receive a digitally signed e-mail from the senders in order to subsequently reply with an encrypted e-mail.
Certificates issued via DFN-PKI Global
New applications for user certificates in the DFN-PKI Global that are submitted at the IT-ServiceDesk at Seffenter Weg 23 no later than August 25, 2023, or at the SuperC no later than August 22, 2023, will still be considered and the appropriate certificates will be issued. All user certificates already issued via DFN-PKI Global will remain valid beyond August 30 until their expiration date (3 years after issuance).
What Else Do I Need to Know?
In the PKI world, group certificates are user certificates that have been requested by one person and are used by all authorized users of the functional mailbox. Certificates for functional mailboxes are also requested via the RA portal.
- For functional mailboxes within one’s own mail domain, the IT admins determine in the RA portal who may submit the request.
- For functional mailboxes under @rwth-aachen.de, the authorization of the requesting person in the RA portal is done via their function as owner of the mailbox in the central e-mail system of RWTH. All RWTH members can view an overview of their @rwth-aachen.de mailboxes in the Selfservice.
Code signing certificates are also affected by the changeover to GÉANT/TCS. However, this includes a small number of users at RWTH. GÉANT/TCS issues code signing certificates, but only on hardware tokens. Affected users were already informed about the changeover in March 2023. A reminder was sent on July 24, 2023.
Grid certificates are not affected by the changeover because the “DFN-PKI Grid” is not part of the DFN-PKI Global.
If you have any questions or problems, our colleagues at the IT-ServiceDesk will be happy to help.
Responsible for the content of this article are Jelena Ćulum, Bernd Kohler, and Ekaterini Papachristou.
Ist ja klasse, dass das doch noch geklappt hat mit dem LDAP-Server.
Hallo Jakob,
vielen Dank für deine positive Rückmeldung!
Viele Grüße
Das IT Center Blog Team