Generally you obtain an X.509 certificate from a commercial Certificate Authority (CA) such as (https://www.digicert.com)and other. The certificates issued by the CAs are normally classified by trust levels (for example “Class 3”).

A distinguishing feature of the individual trust levels is the effort involved in identifying the applicant:

• In the case of low trust levels it is sufficient to be able to deliver e-mails to the specified e-mail address.

• In the case of higher trust levels the applicant must, for example, supply a verified extract from the commercial register for the company involved. In addition, an authorized signatory or PKI executive of the company must identify himself/herself using the Post Ident procedure or something similar.

  Higher trust levels generally also mean higher warranty sums in the event of loss, for example if the CA issues a certificate to an unauthorized entity. Further details can be found on the CAs’ websites.

A new certificate must be obtained and installed in good time before the old one becomes invalid. If the private key has been compromised or the information in the certificate is no longer applicable, the certificate must be revoked.

If the certificates are only intended for inhouse applications, it may make sense to set up your own CA. However, before taking such a step you should gain a thorough knowledge of the topic PKI (Public Key Infrastructure), for example by reading the relevant literature.

In addition to the identification documents the applicant must also submit a Certificate Signing Request (CSR). You can create a CSR with the OpenSSL command line tool, for example (see the section “MAKE.CERT procedure - Generating test certificates and CSRs”).