GRID-Zertifikate

Please note: members of the LMU please contact dfn-lmu-ra@lists.physik.uni-muenchen.de first.

GRID certificates are server certificates or personal certificates, but they belong to their own infrastructure. They have the following key scopes:

digitalSignature
keyEncipherment

and the enhanced key scopes

clientAuth
emailProtection

GRID certificates are the only personal certificates which the LRZ is permitted to issue to persons outside the BAdW.

The name space is as follows:

C=DE
O=GridGermany
The OU depends on the institution you belong to: Leibniz Rechenzentrum, Technische Universitaet Muenchen or Ludwig-Maximilians-Universitaet Muenchen. Another OU for your department / faculty is possible.
The CN is you first and family name (in case of a user certificate) or the server name (in case of a server certificate).

Please note: In GRID, neither group- nor pseudonym certificates are allowed. The SubjectDN must not contain "pseudonym", "GN" or "SN" as attributes. The CN must not start with "GRP:", "GRP -", "PN:" or "PN ". However, robot certificates are possible. The CN may start with "Robot:" or "Robot-".

You can request a GRID certificate here: https://pki.pca.dfn.de/dfn-pki/grid-root-ca/101

The page Request server certificate, for example, looks like this:

After filling out the form, klick on Next:

If you klick on Save certificate application data file, you are prompted for a password:

You can find additional information here: https://www.lrz.de/services/compute/grid_en/certificate_en/person-certificate_en/

in the DFN CERT policies: https://www.pki.dfn.de/fileadmin/PKI/DFN-PKI_grid-cps_v16.pdf

and on the DFN GRID home page: https://www.pki.dfn.de/grid/ and https://www.pki.dfn.de/faqpki/faqpki-grid/

Please note that GRID certificates cannot be used for signing e-mails. This is technically possible but GRID certificates do not belong to any browser based certificate infrastructure. Therefore no mail client can verify these certificates.

Last update: October 27, 2022