Function certificates via DFN-PKI

Background information

Client certificates can also be requested for function addresses in the same way as user certificates.

This is useful, for example, if signed emails are to be sent from an email address such as leitung@einrichtung.tu-darmstadt.de.

The following explains the conditions under which this is possible and how the application process works.

The use of function certificates is subject to certain conditions:

Contact person

  • A contact person must be named for the application. This person is responsible for ensuring compliance with the terms of use as confirmed when the certificate is issued. This also includes, for example, the secure transfer to third parties and any blocking.
  • The contact persons must be employees or members of TU Darmstadt.
  • Contact persons may only apply for certificates for addresses in domains for which they are registered as domain representatives.

Functional address

  • The addresses must be operated by the HRZ as part of the groupware service.
  • The display name of the certificate must be identical to the sender name of the address.

Key management

  • The HRZ does not provide support for securing the private key. The user is requested to choose a secure location for this (e.g. their personal network drive, the Hessenbox, or a private share).
  • The private key (.p12 file) must be passed on to third parties in a secure manner.
  • If a person to whom the certificate has been issued is no longer authorised to use it (e.g., due to a change of role), the certificate must be revoked and a new one issued.

No encryption

  • The HRZ does not offer support for encryption. If you encrypt data/emails, all encrypted content will be lost if the private key is lost. For business data, please also bear in mind that third parties cannot gain access to encrypted content. This can lead to problems, especially with functional mailboxes, if responsibility changes.

You can apply for and issue certificates for functional email addresses yourself. Please note that the certificate will only contain the email address and will not include any additional information such as a name or organisation.

1. Open the application page via this link: https://cm.harica.gr/ (opens in new tab)

2. To request certificates for functional mailboxes, you must first create an account via “Sign Up”. Enter the email address of the functional mailbox under “Email address”.

3. After logging in with this account, you can manually request certificates under “Certificate Requests” → “Email”. Please select the “Email-only” type for your certificate.

4. Please note that the email address must be verified during the process. You will receive a confirmation email for this purpose.

5. Once your certificate is available, you will see your request on the overview page under “Ready Certificates”. To download the certificate, select “Enroll your Certificate”.

6. When creating the certificate, please observe the following instructions:

  • Select a key size of at least 3072 bits under “Key size”. Shorter key lengths are no longer permitted in accordance with the Transport Layer Security Richtlinie (TLS-RL).
  • The password will be used to secure your certificate file. Please choose a strong password and, ideally, store it in a password manager. If you lose either the password or the certificate file, you will need to request a new certificate.