To be able to use corresponding services from the public administration PKI (V-PKI) as a Certificate Authority (CA), an agreement is concluded between the CA and the Policy Certificate Authority (PCA) within the public administration PKI. The participation of the Certificate Authority in the V-PKI is then confirmed by the PCA with a CA certificate.

Once the technical requirements had been tested successfully in the trial phase, a number of formal requirements had to be fulfilled, some of which are governed by sections 2 and 3 of the agreement concluded between the PCA and the CA service provider. Before the agreement is signed, the issuing of a Certificate Authority certificate must be applied for in writing from the BSI. The following must be included with the completed and signed application:

• The currently applicable security policy from the Certificate Authority
• the self-declaration
• a copy of the current entry in the German Trade Register or proof of entry into a professional or commercial register in accordance with national law in another country
• a declaration that the applicant is not currently the subject of insolvency proceedings, nor have such insolvency proceedings been applied for

Following the submission and review of the relevant documents by the BSI, certification of the PKCS (Public Key Cryptography Standard)#10 request can be completed. The CA certificate is then created by the PCA-1-Verwaltung and handed over to an official representative of the Certificate Authority.

Publication in the X.500 directory of the IVBB (Informationsverbund Berlin-Bonn) is completed once the CA operator has reviewed the certificate issued to ensure details are correct and that the certificate is properly functional, and has notified acceptance to the Policy Certificate Authority. The certificate is revoked if confirmation is not received within a period of 5 working days or if the review process is unsuccessful.

The namespace for which the CA issues certificates must be submitted to the Policy Certificate Authority for review and approval. Namespaces no longer needed must be de-registered.

Trial phase

For the trial phase, the BSI offers a test certificate to all of those interested in using the public administration PKI, so as to enable the adjustment of both technical and organisational internal processes to the requirements of the V-PKI before the actual go-live date.

Before this test is conducted, the application for the issuing of a CA test certificate for the public administration PKI must be completed, signed and returned to the BSI. The validity period should be chosen so as to ensure that the period of time allowed for the trial phase does not end up being too short. PKI management is handled by a PKCS#10 request that is to be sent to the BSI: this request is then answered following certification by a PKCS#7 reply sent to the CA.

As part of activities during this test phase, recommended actions include issuing and then revoking subscribers and sub-CA certificates, so as to verify the functionality of the formats created by the trust centre. The certificates and revocation list created can be provided by and accessed from a test directory Test-X500.bund.de via the LDAP (Lightweight Directory Access Protocol) for subsequent import into an e-mail client.

Application forms

Current applications forms for CA certificates can be requested via e-mail from the contact address.