RZG Registration Authority

Users of the Max Planck Computing and Data Facility can obtain client certificates issued by the DFN under two different policies, the Grid policy and/or Global (MPG CA) policy. Please refer to http://www.pki.dfn.de for further details (in german) about the public key infrastructures provided by the DFN-Verein, and http://ca.mpg.de for additional information about the MPG CA under the DFN Global PKI.

Purpose of Certificates:

Certificates are means for Authentication (AuthN) and as such can be used for Authorization (AuthZ). Based on the trustworthiness of the certificate issuer (Certificate Authority, CA), the certificate's identifier - the certificate's subject (DN) - is assumed to identify the corresponsing entity unambiguously. Such an entity can be a user (human), an agent (process) or a server which are administered by a human who are the certificate owner, i.e. only this person is allowed have access to the private key that complements the certificate. The certificate's subject (as the unique identifier, DN) is tied to the public key as an inherent part of the certificate.

Certificates are used for

  • email signing
  • email encryption:
    the GWDG DFN-ldap Wikipage provides details about how to configure the DFN ldap in your mail client, which is important if encrypted mails are sent to multiple mail recipients.
  • accessing services (that accept certificates for AuthN/AuthZ)

The role of the MPCDF Registration Authority (RZG RA) at the Max Planck Computing and Data Facility

    • to identify the requestor of a certificate by means of his/her valid national identity document
    • to check whether the identity of the user is consistent with the subject of the digital certificate signing request and the corresponding printed application form
    • to check the uniqueness and correctness of the subject (distinguished name) of the certificate in the name space assigned to the RZG RA
    • to confirm against the DFN CA that the identity of the requestor and the corresponding application has been verified
    • to support MPCDF users concerning the certificate request or revocation procedure and to provide advice concerning the DFN CA or MPG CA policies as well as the handling of user certificates, private keys, CA certificates and truststores.


Users of the MPCDF can apply for a personal DFN Grid or DFN Global certificate using the corresponding web interface:

Please note that actions of the RA officers are only triggered if they obtain a hand-signed printed application that corresponds to an electronically submitted certificate signing requests.

Therefore it is necessary to hand over the corresponding printed manually signed application form personally to one of the RA officers, particularly if the application is filed for the first time, if your personal ID card has expired since the last certificate application, or if your ID card has not been shown to the RA officer within the last 36 months.

In case of the renewal of a personal DFN Global certificate you can send the printed manually signed application form to the responsible RA officer via mail (eventually forwarded via the MPCDF secretariat) provided he/she has seen your ID card within the last 36 months.

Grid Certificates generally require a personal visit of the RA office.

The RZG RA officers currently accredited for DFN Grid certificates are:


The RZG RA officers accredited by the MPG CA for MPG CA / DFN Global certificates are:

    Dr. Johannes Reetz

    Max Planck Computing and Data Facility
    Giessenbachstr. 2
    D-85748 Garching
    Bldg D2 #315

    Tel:  089 3299-2199
    Fax.:089 3299-1301
    Andreas Schmidt

    Max Planck Computing and Data Facility
    Giessenbachstr. 2
    D-85748 Garching
    Bldg D2 #320

    Tel:  089 3299-1335
    Fax.:089 3299-1301


Description of the procedure for obtaining a user certificate

Please apply your x.509 user certificate using the electronic form via the website of the DFN Grid CA or for DFN Global CA, depending on what kind of certificate is needed. Please fill in the form using the tab "Zertifikatantrag für Nutzer".
After having filled the form and the checkboxes signed, you can commit the application. In the following a private/public keypair is created and the public key is submitted with your electronic application to the DFN CA. Your private key remains in your browser directory.

Please print out the application form after the electronic form has been submitted and fill in the requested details. Please sign the form.

  1. In order to get your application processed, please visit one of the contact persons for the corresponding CA in order to handover your signed application form.
    According to the DFN CA policies, the RA has to check the passport of the applicant, so please have your passport or ID card with you.
  2. After the certificate has been handed over, the RA officer will commit your application and you will get your certificate electronically sent within one day (usually).
  3. Your certificate is delivered via email. You will find a link in it. When clicking this link your certificate will be silently imported into your browser. This of course works only if you use the same browser that you used for creating your application.


Importing/Export user certificate

If you want to use your certificate (+private key) in other contexts that with your browser (e.g. eMail client, Globus middleware), or if you have to migrate your personal certificate from one browser to another, you can export your certificate with the corresponding private key alltogether into a keystore (typically in PKCS12 format, file extension is .p12).

This keystore can then be further processed (e.g.,the Java keytool or using openssl).


CA root certificates

Root certificates are self-signed certificates of the root authority and as such the fundament of trust of a PKI. The person who has a root certificate installed in his browser or email-Client is trusting that the CA can organisationally and practically make sure that the unique id, the certifcate subject, of an issued certicate remains unique within the PKI. The private keys must not be compromised by an unauthorized entity. The person is trusting also that the CA makes sure by organisational measures that the certificate holder are carefully identified and that their identy is unambiguously mapped to the certificate subject.

Document Actions