Skip to content

Difference between personal certificates with and without identification

When applying for a personal certificate, you have the option of doing so with or without identification:

To understand the differences, we need to briefly explain what identity means in the context of X.509 certificates. Certificates bind identities to cryptographic key material. Identity is a collection of named values. Which set of values end up constituting a certificate’s identity depends on whether an extended identity check (“identification”) has taken place:

C  = DE
ST = Baden-Württemberg

O  = Karlsruher Institut für Technologie
organizationIdentifier = NTRDE-123123123

SN = Beispiel
GN = Beate
CN = Beate Beispiel

emailAddress = beate.beispiel@kit.edu
SAN email = beate.beispiel@kit.edu
SAN email = b.beispiel@kit.edu

emailAddress = beate.beispiel@kit.edu
SAN email = beate.beispiel@kit.edu
SAN email = b.beispiel@kit.edu
Identity/Subject with identification
Identity/Subject without identification

With identification, the certificate also contains the rough location, the KIT as the associated organization and the name of the natural person in addition to the email addresses.

Without identification, the certificate only contains the e-mail addresses.

Which variant you choose depends primarily on the expectations of potential recipients. The “real” differences in the representation of signed emails in common email clients are rather subtle. Nevertheless, we would recommend - if possible - using certificates with identification.

Microsoft Outlook

In Outlook, both variants look completely identical both in the info pop-up and in the detailed view. The differences only come to light if you go deeper into the certificate details at (without screenshot). In practice, no one is likely to notice any difference.

Identity/Subject with identification
Identity/Subject without identification

Mozilla Thunderbird

With Thunderbird, the differences are more visible. The name is displayed in the pop-up for certificates with identification. All differences are displayed in full in the detailed view at .

Identity/Subject with identification
Identity/Subject without identification

Apple Mail on macOS

Apple Mail shows the difference directly in the email view. The detailed view also shows all differences in their entirety.

Identity/Subject with identification
Identity/Subject without identification

Adobe Acrobat Reader

If you want to sign PDF files with TCS certificates (contrary to our explicit recommendation against it): The difference is that the name appears everywhere for certificates with identification. Certificates without identification are therefore completely useless for this purpose.

Certificate Selection Dialog

Identity/Subject with identification
Identity/Subject without identification