Notice

For a longer transition period, we (WWU IT + WWUCA + DFN-PKI) offer worldwide recognized digital IDs (certificates) from two different providers.

  • The already longer offered digital IDs with “Global” certificates are based on the “T-TeleSec GlobalRoot Class 2” root certificate from T-Systems Enterprise Services GmbH.
    This offer is expected to expire at the end of 2022 for server certificates and at the end of 2023 for other certificates.

  • The now also offered digital IDs with “TCS” certificates from the Trusted Certificate Service (TCS) of the pan-European research network GÉANT are based on the root certificates of Sectigo.

The digital IDs „TCS“ have three advantages: For many users, no new ID checks are necessary, there is no paperwork, and digital IDs from servers can be automatically renewed via ACME.

CA certificates

The table below lists all ever used X.509 certificates of the WWUCA as well as the respective superordinate certification authorities in different formats. The years indicate the periods of use, not the periods of validity.

For security reasons certificates are always used for a limited period only as specified in the certification policies. Thereafter new certificates are used. The old certificates remain valid until their end of life, however, and are still needed to check the certificates issued with them.

When clicking on Import the certificate is downloaded in binary format for automatically importing into your WWW program. When clicking on Binary the certificate is downloaded in the same format but for saving as file. When clicking on Text (.pem) or Text (.crt), the certificate is downloaded in PEM format for saving with the indicated file name extension. When clicking on Binary (.p7b), the certificate is downloaded in PKCS#7 format for saving with the indicated file name extension.

“TCS” certificates:

GÉANT TCS uses different CA certificates for different key types (RSA, ECC), different certificate purposes (user, code signing, server), different scopes of application (normal, eScience) and different request paths (normal, ACME).

The root certificates “USERTrust ... Certification Authority” are built into all current programs. Very old software does not yet know these root certificates, but does know the root certificate “AAA Certificate Services” from Commodo (today Sectigo). (Only) Who as a server operator depends on the fact that also very old software can establish connections to his server, should use the chain with the cross certificate.

 

X.509 GÉANT TCS

X.509 root CA

X.509 alternative root CA

X.509 chain (see below)

Now

2021

User RSA certificates:
GEANT Personal CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

USERTrust RSA Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Or as a cross certificate from the alternative root CA:

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

AAA Certificate Services

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

User eScience RSA certificates:
GEANT eScience Personal CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Code Signing RSA certificates:
GEANT Code Signing CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server RSA certificates:
GEANT OV RSA CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server eScience RSA certificates:
GEANT eScience SSL CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server RSA certificates via ACME:
Sectigo RSA Organization Validation Secure Server CA

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

User ECC certificates:
GEANT Personal ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

USERTrust ECC Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Or as a cross certificate from the alternative root CA:

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

User eScience ECC certificates:
GEANT eScience Personal ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server ECC certificates:
GEANT OV ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server eScience ECC certificates:
GEANT eScience SSL ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server ECC certificates via ACME:
Sectigo ECC Organization Validation Secure Server CA

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

“Global” certificates and predecessors

 

X.509 WWUCA

X.509 DFN-PCA

X.509 root CA

X.509 chain (see below)

Now

2016

DFN-Verein Global Issuing CA

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN-Verein Certification Authority 2

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

T-TeleSec GlobalRoot Class 2

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Text (current and historic CA certificates)

2016

2014

Zertifizierungsstelle Universitaet Muenster - G02

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN-Verein PCA Global - G01

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Deutsche Telekom Root CA 2

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2014

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

(revoked)

Text (with root)
Text (without root)

(revoked)

2014

2007

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2007

2006

Zertifizierungsstelle Universitaet Muenster (Classic) 2006-2007

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN-Verein PCA Classic - G01

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2005

2004

Zertifizierungsstelle 2004-2005

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN Toplevel Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2003

2002

Zertifizierungsstelle 2002-2003

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2001

2000

Zertifizierungsstelle 2002-2003

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN Top Level Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Remarks

The column X.509 chain lists files containing the certificates of the WWUCA and the superordinate certification authorities, both with and without the respective root certificate. Operators of Apache WWW servers should download the file without root certificate and indicate this file in the configuration option SSLCertificateChainFile to save the users from importing the WWUCA certificate into their browsers.

Operators of other SSL/TLS server software should indicate in the configuration first the private key of the server, second the certificate of the server, and third the chain without root. With some software it may be necessary to merge all three parts in this order, perhaps separated by an empty line, into a simple text file and to indicate this file in the configuration.

Usually, the cross certificate and the alternative root certificate should no longer be needed. Only very old software does no longer know the USERTrust root certificates.

 

OpenPGP

For completeness the OpenPGP keys formerly used for certification are listed here.

 

PGP WWUCA

PGP DFN-PCA

 

(Service discontinued by the end of 2011)

(Service discontinued by the end of 2009)

2011 ← 2010

Text

2009 ← 2008

Text

Text

2007 ← 2006

Text

2005 ← 2004

Text

Text

2003 ← 2002

Text

Text

2001

Text

Text

2000

Text

1999

Text
(predecessor)

1998 ← 1997

Text