Steps to Request Certificate
In order to request and be issued a GÉANT's Multi-Domain Network Services certificate; three steps have to be performed by the server/machine administrator. They are explained below:
1. Authentication
We need to perform some type of identity vetting on you to be able to authenticate a certificate application send by you. The GÉANT Multi-Domain Network Services RA currently supports two ways of identity vetting; you can choose either of the two:
1) TCS Personal Certificates
If you are in possession of a TCS Personal Certificate or a TCS Personal eScience Certificate, you can use this in step 3 to send us a signed email (S/MIME) with the certificate application form (PDF) attached.
2) PGP/GPG signature
If you have a PGP/GPG key, please make sure that the key is signed by SA2 RAs PGP signing key, and is available on commodity PGP key-servers. You can then use this in step 3 to send us a signed email with the certificate application form (PDF) attached.
2. Authorisation
Please check GÉANT Multi-Domain Network Service Administrator Registry to make sure that your email address is listed as an administrator of a GÉANT Multi-Domain Network Service.
If your name is not listed on the registry and you would like to request a certificate please contact RAs via email mds-edupki-ra@geant.net
The GÉANT Multi-Domain Network Services RA will only issue certificates that are requested by administrator that have a contact email address listed in the registry.
The profiles you request for your certificate must also match your entry in the registry.
- If you are listed as an AutoBAHN administrator your certificate will be allowed to carry one of the AutoBAHN profiles.
- If you are listed as a cNIS administrator, your certificate will be allowed to carry one of the cNIS profiles.
- If you are listed as an I-SHARe administrator, your certificate will be allowed to carry one of the I-SHARe profiles.
- If you are listed as a perfSONAR administrator, your certificate will be allowed to carry one of the perfSONAR profiles.
- If you are listed under a combination of GÉANT's Multi-Domain Network Services, the certificate will be allowed to carry any of those combination's profiles.
- If you are listed under all of GÉANT's Multi-Domain Network Services, the certificate will be allowed to carry one the general purpose profiles.
3. Certificate request
Please navigate to the eduPKI CA interface and open the Multi-Domain Network Services Certificate Request Generator (eduPKI CA)
Contact Data
These fields must match your registered data in the GÉANT Multi-Domain Network Service Administrator Registry (see step 2 above)
Certificate profile
Your selection must be consistent with your registered data in the GÉANT Multi-Domain Network Service Administrator Registry (see step 2 above)
Organisation
eduPKI CA only issues certificates to legal entities. If your GÉANT Multi-Domain Network Service installation is only in a department of a legal entity, remember to fill in your parent organisation's entity's name.
After submitting the form in the Certificate Request Generator, it will generate a cryptographic key pair (a private key and the matching public key) locally on your system and you will be asked to save that private key into a directory together with the generated certificate application form in PDF format.
Please send the PDF form (and only the PDF form) via a signed email (as per the requirements in step 1) to mds-edupki-ra@geant.net. The email signature must be for the email address that is in the certificate application and is registered for you in the GÉANT Multi-Domain Network Service Administrator Registry.
The eduPKI GÉANT Multi-Domain Network Services RA personnel will verify that the request is in order and will issue your certificate as quickly as possible. The verification procedure includes human processing and is not instant, please allow for a few business days to process.
