Applying for an S/MIME certificate

As a university employee it is possible to apply for a personal certificate of the DFN's "Global" safety level to sign and encrypt official emails (this does not apply to students!).

To obtain an S/MIME certificate (for email), the following steps are necessary: 

  1. The applicant must visit a special website of the DFN organisation (German research network).

    In some cases (e.g. for an Android <= version 4.4.) it may be necessary to apply for a certificate valid until 9.7.2019 at the latest. If so, please contact our IT-Service.

    Background: the root certificate "Deutsche Telekom Root CA 2", with which the DFN-PKI is being operated since 2007, will expire on the 9th July 2019. Therefore, all certificates issued in this certification hierarchy are only valid until the 9th July 2019.

    The new root certificate "T-TeleSec GlobalRoot Class 2" offered by the DFN-PKI for operation beyond the 9th July 2019 is already pre-installed in all relevant operating systems and browsers. The exception is Android <=4.4

    You can find more information in the DFN-PKI Blog.

  2. On this page, an application form mainly containing name fields and declarations of consent must be filled out.

3. Furthermore, in the website dialog a so-called "asymmetric" key pair is created in your web browser,

namely a "private key" and a "public key".

4. The application must be printed.

5. It must then be taken to the registration authority (RA) in the URZ IT service (Im Neuenheimer Feld 293, 69120 Heidelberg) and personally signed. The accompanying official photo ID must be valid for at least another two years.

6. After all the information has been successfully checked (especially whether the so-called fingerprint matches), the application is approved by the registration authority.

7.Shortly afterwards, the certificate will be sent to the applicant by the certification authority (CA) of the DFN organisation via email.

8. Now it only hast to be installed in the same web browser in which step 3 was conducted. To do so simply follow the instructions in the email.

9. Finally the certificate must be integrated into your email environment, which depends on the system being used.