GRID-Zertifikate
Please note: members of the LMU please contact dfn-lmu-ra@lists.physik.uni-muenchen.de first.
GRID certificates are server certificates or personal certificates, but they belong to their own infrastructure. They have the following key scopes:
- digitalSignature
- keyEncipherment
and the enhanced key scopes
- clientAuth
- emailProtection
GRID certificates are the only personal certificates which the LRZ is permitted to issue to persons outside the BAdW.
The name space is as follows:
- C=DE
- O=GridGermany
- The OU depends on the institution you belong to: Leibniz Rechenzentrum, Technische Universitaet Muenchen or Ludwig-Maximilians-Universitaet Muenchen. Another OU for your department / faculty is possible.
- The CN is you first and family name (in case of a user certificate) or the server name (in case of a server certificate).
Please note: In GRID, neither group- nor pseudonym certificates are allowed. The SubjectDN must not contain "pseudonym", "GN" or "SN" as attributes. The CN must not start with "GRP:", "GRP -", "PN:" or "PN ". However, robot certificates are possible. The CN may start with "Robot:" or "Robot-".
You can request a GRID certificate here: https://pki.pca.dfn.de/dfn-pki/grid-root-ca/101
The page Request server certificate, for example, looks like this:
After filling out the form, klick on Next:
If you klick on Save certificate application data file, you are prompted for a password:
You can find additional information in the DFN CERT policies: https://doku.tid.dfn.de/_media/de:dfnpki:doc:grid-policies:dfn-pki_grid-cp_v16.pdf
and on the DFN GRID home page: https://doku.tid.dfn.de/de:dfnpki:grid
Please note that GRID certificates cannot be used for signing e-mails. This is technically possible but GRID certificates do not belong to any browser based certificate infrastructure. Therefore no mail client can verify these certificates.
Last update: October 21, 2025