Function certificates via DFN-PKI

Change of provider for certificate issuance

Please note that since 10.01.2025, a new certificate provider called HARICA has replaced the previous provider Sectigo. We are currently updating the documentation and instructions on this site. Not all new processes have been finalised yet. We ask for your understanding that the update may therefore be somewhat delayed.

To request function certificates you first need to create an account via “Sign Up”. Please enter the email address for which you wish to request the certificate under “Email address” during the process.

After logging in with this account, function certificates can be requested under “Certificate Requests” → “Email”. Please select the type “Email-only” for your certificate.

Background information

Client certificates can also be requested for function addresses in the same way as user certificates .

This is useful, for example, if signed emails are to be sent from an email address such as leitung@einrichtung.tu-darmstadt.de.

The following explains the conditions under which this is possible and how the application process works.

The use of function certificates is subject to certain conditions:

Contact person

  • A contact person must be named for the application. This person is responsible for ensuring compliance with the terms of use as confirmed when the certificate is issued. This also includes, for example, the secure transfer to third parties and any blocking.
  • The contact persons must be employees or members of TU Darmstadt.
  • Contact persons may only apply for certificates for addresses in domains for which they are registered as domain representatives.

Functional address

  • The addresses must be operated by the HRZ as part of the groupware service .
  • The display name of the certificate must be identical to the sender name of the address.

Key management

  • The HRZ does not provide support for securing the private key. The user is requested to choose a secure location for this (e.g. their personal network drive, the Hessenbox or a private share).
  • The private key (.p12 file) must be passed on to third parties in a secure manner.
  • If a person to whom the certificate has been passed on is no longer authorised to use the certificate (e.g. due to a change of job), the certificate must be revoked and a new certificate issued and distributed.

No encryption

  • The HRZ does not offer support for encryption. If you encrypt data/emails, all encrypted content will be lost if the private key is lost. For business data, please also bear in mind that third parties cannot gain access to encrypted content. This can lead to problems, especially with functional mailboxes, if responsibility changes.

The issue cannot currently be automated, as the e-mail address is not assigned to a single person as the primary dispatch address.

Instead, it is issued as follows:

  1. You fill out the form below and submit it.
  2. We will check whether all requirements have been met.
  3. You will then receive an invitation link to the desired function address.
  4. As an authorised person, click on the link in the e-mail. You will be redirected to a page for creating the certificate.
  5. There you will be guided through the same process as for creating user certificates .
  6. You can then configure the certificate in exactly the same way as described there (e.g. also in Outlook).
  7. If you want to use the certificate on several computers, it is your responsibility to transport it securely to the relevant end devices.