The table below lists all ever used X.509 certificates of the WWUCA
as well as the respective superordinate certification authorities in
different formats. The years indicate the periods of use, not the
periods of validity.
For security reasons certificates are always used for a limited
period only as specified in the certification policies. Thereafter new certificates
are used. The old certificates remain valid until their end of life,
however, and are still needed to check the certificates issued with
When clicking on Import the certificate is downloaded in
binary format for automatically importing into your WWW program. When
clicking on Binary the certificate is downloaded in the same
format but for saving as file. When clicking on Text (.pem) or
Text (.crt), the certificate is downloaded in PEM format for
saving with the indicated file name extension. When clicking on
Binary (.p7b), the certificate is downloaded in PKCS#7 format for
saving with the indicated file name extension.
GÉANT TCS uses different CA certificates for different key
types (RSA, ECC), different certificate purposes (user, code signing,
server), different scopes of application (normal, eScience) and
different request paths (normal, ACME).
The root certificates “USERTrust ... Certification
Authority” are built into all current programs. Very old software
does not yet know these root certificates, but does know the root
certificate “AAA Certificate Services” from Commodo (today
Sectigo). (Only) Who as a server operator depends on the fact that also
very old software can establish connections to his server, should use
the chain with the cross certificate.
“Global” certificates and predecessors
The column X.509 chain lists files
containing the certificates of the WWUCA and the superordinate
certification authorities, both with and without the respective root
certificate. Operators of Apache WWW servers should download the file
without root certificate and indicate this file in the configuration
option SSLCertificateChainFile to save the users from
importing the WWUCA certificate into their browsers.
Operators of other SSL/TLS server software should indicate in the
configuration first the private key of the server, second the
certificate of the server, and third the chain without root. With some
software it may be necessary to merge all three parts in this order,
perhaps separated by an empty line, into a simple text file and to
indicate this file in the configuration.
Usually, the cross certificate and the alternative root certificate
should no longer be needed. Only very old software does no longer know
the USERTrust root certificates.