CA certificates
The tables below list all ever used X.509 certificates of the University Certification Authority Münster as well as the respective superordinate certification authorities in different formats. The years indicate the periods of use, not the periods of validity.
For security reasons certificates are always used for a limited period only as specified in the certification policies. Thereafter new certificates are used. The old certificates remain valid until their end of life, however, and are still needed to check the certificates issued with them.
When clicking on Import the certificate is downloaded in binary format for automatically importing into your WWW program. When clicking on Binary the certificate is downloaded in the same format but for saving as file. When clicking on Text (.pem) or Text (.crt), the certificate is downloaded in PEM format for saving with the indicated file name extension. When clicking on Binary (.p7b), the certificate is downloaded in PKCS#7 format for saving with the indicated file name extension.
PDF certificates
The digital PDF IDs are signed directly by the root certificate of our own PDF CA, so there is no hierarchy or chain.
|
X.509 PDF CA (root CA) |
|---|---|
Now |
Import (.der) |
“TCS” certificates
GÉANT TCS uses different CA certificates for different key types (RSA, ECC), different certificate purposes (person, code signing, server), different scopes of application (normal, eScience) and different request paths (normal, ACME).
The root certificates “USERTrust ... Certification Authority” are built into all current programs. Very old software does not yet know these root certificates, but does know the root certificate “AAA Certificate Services” from Commodo (today Sectigo). (Only) If you need to ensure that even very old software can establish connections to your server, you should use the chain with the cross certificate.
“Global” certificates and predecessors
Remarks
The column X.509 chain lists files containing the certificates of the CA of the University of Münster and the superordinate certification authorities, both with and without the respective root certificate. Those who operate Apache WWW servers should download the file without root certificate and indicate this file in the configuration option SSLCertificateChainFile to save the users from importing the CA certificate into their browsers.
Those who operate other SSL/TLS server software should indicate in the configuration first the private key of the server, second the certificate of the server, and third the chain without root. With some software it may be necessary to merge all three parts in this order, perhaps separated by an empty line, into a simple text file and to indicate this file in the configuration.
Usually, the cross certificate and the alternative root certificate should no longer be needed. Only very old software does no longer know the USERTrust root certificates.