CA-Certificates and Certificate Policy

KfW utilizes and runs several services, that require certificates for a secure communication/connection or for the purpose of digital signatures. KfW creates and manages these certificates in different Public Key Infrastructures.

Secure E-Mail with KfW

KfW Group uses an e-mail encryption gateway which supports the encryption methods PGP and respectively S/MIME. The key material of the KfW employee can be request over the internet via the following LDAP query:

Servername: keys.kfw.de

Port: 389

Base DN: dc=keyserver

You can download the key material via the following Link: https://secmail.kfw.de.

Secure communication with PGP or S/MIME:

If you want to send the S/MIME certificate to KfW, please send a signed mail to the KfW recipient of your email.

If you use a PGP Key, please send us the key as an attachement (.asc) to .

If you use a PGP or S/MIME domain certificate, please send us the file (.zip) without password protection to .

Secure communication with GINAmail:

If you don't support PGP and S/MIME you can exchange secure e-Mails with KfW via GINAmail.

You will need a valid e-mail address and a browser to use GINAmail.

To use GINAmail please follow the instructions in the manual: manual encryption EN.

KfW Certificate Policy

This document provides KfW Certificate Policy.

Download	KfW PKI Certificate Policy
Fingerprint (SHA-256)	C052FAED1C9227ACB6F44FF9822DEFC09E03522334D43C9312A4126FF3599965

KfW Root Certificate: (Generation 03)

KfW Root CA 03

Download (base64)	KfW Root CA 03
Purpose	Trusted environment of the general KfW PKI
Valid from	Tuesday, ‎16. ‎April ‎2019
Valid to	Saturday, ‎16. ‎April ‎2039
Fingerprint (SHA-256)	BE0D7723FF3824CFA86FFF95E914591F2C5E5426E87C26B34A093E2BA6E7E32E

KfW External Root CA 03

Download (base64)	KfW External Root CA 03
Purpose	Trusted environment of the external KfW PKI
Valid from	Wednesday, ‎3. ‎April ‎2019
Valid to	Sunday, 3. ‎April ‎2039
Fingerprint (SHA-256)	E8A0B48A171E40927D4478F42C4192DF0C1D34EBFF18CDCF345AC0E54450F73A

KfW Sub-CA Certificates

KfW User CA 03.1

Download (base64)	KfW User CA 03.1
Purpose	Signs certificates for the digital signature wihin the trusted environment of the external KfW PKI
Issuer CA	KfW Root CA 03
Valid from	‎‎‎‎Tuesday, 31. ‎March ‎2020
Valid to	Sunday, ‎31. ‎March ‎2030
Fingerprint (SHA-256)	AEEC49E010E85216479144CA1CA13B71AF6ADDAFF6C6E1FC630C7A8ED09C76B5

KfW Bankpartner Sub-CA Certificates

Bankdurchleitung Online (BDO)

Download (zip)	KfW External Bankpartner CA BDO
Purpose	Signs certificates for banking partners within the trusted environment of the external KfW PKI
Issuer CA	KfW External Root CA 03
Valid from	Tuesday, 29. Juni ‎2021
Valid to	Sunday, ‎29. Juni ‎2031
Fingerprint (SHA-256)	E4D7C006ECF562BB373898021031A3B52CB0A66FC7728D4CCC1E8BE22A689557

Open Banking Bildung (OBB)

Download (zip)	KfW External Bankpartner CA OBB
Purpose	Signs certificates for banking partners within the trusted environment of the external KfW PKI
Issuer CA	KfW External Root CA 03
Valid from	Tuesday, 29. Juni ‎2021
Valid to	Sunday, ‎29. Juni ‎2031
Fingerprint (SHA-256)	948511BD0A2F3E7929CEC2EC2480C5C0BABBC28083F9F657C86217CA1557EE60

Certificate Revocation lists (CRL)

KfW creates and publishes regularly or on demand Certificate Revocation Lists.