Request for a personal certificate

As a member of an institution supplied by the WWUCA you may request a personal certificate

This can be used for electronic signing and encrypting e-mails with S/MIME, but also to identify oneself to WWW applications, to computers, to other access control systems, and much more.

There are different methods for creating a key pair and for submitting the certification request to the WWUCA:

Please ensure that the key length is at least 2048 bits and that the name complies to the stringent requirements of the certification policies:

  • The attribute “C” (for Country) must contain the value “DE” exactly.

  • The attribute “ST” (for State) must contain the value “Nordrhein-Westfalen” exactly.

  • The attribute “L” (for Location) must contain the value “Muenster” exactly.

  • The attribute “O” (for Organization) must contain exactly one of the following values:
    Westfaelische Wilhelms-Universitaet Muenster
    Universitaetsklinikum Muenster
    Kunstakademie Muenster - Hochschule fuer Bildende Kuenste

  • The attribute “OU” (for Organizational Unit) may be omitted for central systems only. Otherwise it must be given and indicate the organizational unit. Do not use abbreviations unintelligible to third parties like “THK”, but correct names like “Klinik und Poliklinik fuer Thorax-, Herz- und Gefaesschirurgie”. Umlauts are to be written as ae/oe/ue/ss and only permitted punctuation marks are “'()+,-./:=?”. Avoid abbreviations. In case of overlong names (more than 64 characters) clearly comprehensible abbreviations may be used.

  • The attribute “CN” (for Common Name) must contain your first and last name. People with multiple first names must write their calling name in full, the other first names may be written in full, abbreviated, or omitted. Titles (like “Dr.”) may be given only if contained in the identity documents. Here, too, the rules for umlauts, punctuation marks and length apply.

  • The attribute “emailAddress” must contain the preferred e-mail address. The part before the “@” must be written in correct case (addresses of the university and the academy of fine arts are always lowercase) and the part after the “@” must be written in lowercase only.

For example, a valid name would be:

O=Westfaelische Wilhelms-Universitaet Muenster
OU=Zentrum fuer Informationsverarbeitung
CN=Dr. Raimund Vogl

Using the user portal MyZIV

This method is a service offered to you by the Zentrum für Informationsverarbeitung (not by the WWUCA) using an interfaces provided by the DFN-PKI.

In the user portal MyZIV ZIV account owners belonging to the eglible group of persons can find a menu entry “Digital ID (certificate)” offering a comfortable way to generate a key pair and to submit a certification request.

Thereby the private key is stored encrypted and well protected in the MyZIV system. Please specify a corresponding PIN so that even a system administrator cannot access your private key.

Here, too, you have to print an application form, to sign it, and to hand in personally to a participant service staff member, proving your identity by showing your passport or identity card.

Using a WWW browser

With this method both generating the key pair and submitting the certification request are carried out in one step.

This method does not work with all browsers, especially not with Chrome! We recommend Mozilla Firefox or, as an alternative, Microsoft Internet Explorer.

For this method, please use a computer fully controlled by you, as with this method your private key is stored in the certificate storage of the browser.

Please first set up a master password in the security settings of your browser to avoid storing your private key in easily readable form.

On please go to the WWW pages of our certification server. There, under “Zertifikate”, go to “Nutzerzertifikat” and fill in the form.

On the next page review and confirm all data.

If you are using a smartcard (or eToken or other cryptographic device) and your browser has the necessary drivers, then you are now asked what device should be used for generating the key pair.

Then the browser (or the smartcard) generates a new key pair and transmits the public key and your personal data to the certification server. The private key is kept locally in the browser (or in the smartcard).

Thereafter you have to print an application form, to sign it, and to hand in personally to a participant service staff member, proving your identity by showing your passport or identity card.

Manually with OpenSSL or other software

When using this—otherwise very cumbersome—method you do not have to entrust your private key to a WWW browser or to the MyZIV system.

This method works exactly the same way as requesting a server certificate.

Please observe these differences:

  • The attribute “CN” (for Common Name) muss not contain a fully qualified domain name but your name.

  • The attribute “emailAddress” must be given.

  • When submitting the request on the „Serverzertifikat“ page please select the certificate profile (Zertifikatprofil) „User“.