Request and pick up Grid certificates (IGTF)

Requirements

  1. The identity of the user must have already been verified in a manner that meets the strict requirements of the certification policy for “GÉANT eScience Personal Certificates”.

    2. Unlike the normal “GÉANT Personal Certificates”, it is therefore mandatory that an ID check has taken place and this must be known to the WWU IT portal. This is the case for

    • Persons who have previously received a personal digital ID “Global” in the WWU IT portal,

    • Persons for whom a personal ID check by authorized persons has been entered in the WWU-IT portal.

  2. In addition, the person must already be known to the Sectigo system, under the email address WWU-ID@uni-muenster.de. (The WWU ID is the user name, login name, account name assigned to you by the WWU IT.)

    This is exactly the case if the person has previously requested personal digital IDs (certificates) from GÉANT TCS in the WWU IT portal and has selected at least once exactly the email address WWU-ID@uni-muenster.de as the main email address.

    Of course, the person is also allowed to request (before and after) digital IDs with other main email addresses, for example, with the preferred email address.

Procedure

  1. Open in browser: https://cert-manager.com/customer/DFN/idp/clientgeant

  2. On the page “"Find Your Institution”: Select Universität Münster

  3. On the page “Zentrales Shibboleth-Single-Sign-On der Westfälischen Wilhelms-Universität Münster”: Enter WWU ID (user name) and password

  4. On the page “Digital Certificate Enrollment”, select or enter:

    • Certificate Profile: GÉANT IGTF-MICS Personal (for persons) oder GÉANT IGTF-MICS-Robot Personal (for robots)

    • Term: 365 days

    • Enrollment Method: Key Generation (or CSR, but then it goes on differently)

    • Key Type: RSA-4096 (depending on the desired security level and the technical limitations of the relevant systems)

      (Attention: The EC keys can only sign or enroll, but not encrypt.)

    • Password: The passphrase to use to protect the PKCS#12 file that will be downloaded later.

    • Password Confirmation: The same passphrase again

    • I have read and agree to the terms of the EULA: Check and confirm in the popup window

  5. After clicking Submit wait patiently until the finished digital ID is offered for download as PKCS#12 file

Contents of the certificate

The digital ID contains this subject:

domainComponent  = DC = org
domainComponent  = DC = terena
domainComponent  = DC = tcs
countryName      = C  = DE
organizationName = O  = Westfaelische Wilhelms-Universitaet Muenster
commonName       = CN = GGGGGGGG SSSSSSSS UUUUUUUU@uni-muenster.de

and this Subject Alternative Name:

email:EEEEEEEE@uni-muenster.de

Threby mean::

GGGGGGGG = Given names as set in the WWU IT portal under “Personal data” | “Name”
SSSSSSSS = Surnames as set in the WWU IT portal under “Personal data” | “Name”
UUUUUUUU = WWU ID (user name)
EEEEEEEE = Preferred email name as set in the WWU IT portal under “E-mail” | “E-mail names”

The desired content must therefore be entered into the WWU IT portal in advance. It should be noted that it can take more than an hour for a change to arrive in the central Shibboleth single sign-on.

There is no way to have additional email addresses or other information entered into the certificate.