CA certificates

The tables below list all ever used X.509 certificates of the University Certification Authority Münster as well as the respective superordinate certification authorities in different formats. The years indicate the periods of use, not the periods of validity.

For security reasons certificates are always used for a limited period only as specified in the certification policies. Thereafter new certificates are used. The old certificates remain valid until their end of life, however, and are still needed to check the certificates issued with them.

When clicking on Import the certificate is downloaded in binary format for automatically importing into your WWW program. When clicking on Binary the certificate is downloaded in the same format but for saving as file. When clicking on Text (.pem) or Text (.crt), the certificate is downloaded in PEM format for saving with the indicated file name extension. When clicking on Binary (.p7b), the certificate is downloaded in PKCS#7 format for saving with the indicated file name extension.

PDF certificates

The digital PDF IDs are signed directly by the root certificate of our own PDF CA, so there is no hierarchy or chain.

 

X.509 PDF CA (root CA)

Now

2022

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

“TCS” certificates

GÉANT TCS uses different CA certificates for different key types (RSA, ECC), different certificate purposes (person, code signing, server), different scopes of application (normal, eScience) and different request paths (normal, ACME).

The root certificates “USERTrust ... Certification Authority” are built into all current programs. Very old software does not yet know these root certificates, but does know the root certificate “AAA Certificate Services” from Commodo (today Sectigo). (Only) If you need to ensure that even very old software can establish connections to your server, you should use the chain with the cross certificate.

 

X.509 GÉANT TCS

X.509 root CA

X.509 alternative root CA

X.509 chain (see below)

Now

2021

User RSA certificates:
GEANT Personal CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

USERTrust RSA Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Or as a cross certificate from the alternative root CA:

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

AAA Certificate Services

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

User eScience RSA certificates:
GEANT eScience Personal CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Code Signing RSA certificates:
GEANT Code Signing CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server RSA certificates:
GEANT OV RSA CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server eScience RSA certificates:
GEANT eScience SSL CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server RSA certificates via ACME:
Sectigo RSA Organization Validation Secure Server CA

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

User ECC certificates:
GEANT Personal ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

USERTrust ECC Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Or as a cross certificate from the alternative root CA:

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

User eScience ECC certificates:
GEANT eScience Personal ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server ECC certificates:
GEANT OV ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server eScience ECC certificates:
GEANT eScience SSL ECC CA 4

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

Server ECC certificates via ACME:
Sectigo ECC Organization Validation Secure Server CA

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Or with the cross certificate:

Text (with root)
Text (without root)

“Global” certificates and predecessors

 

X.509 CA Uni MS

X.509 DFN-PCA

X.509 root CA

X.509 chain (see below)

2022

2016

DFN-Verein Global Issuing CA

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN-Verein Certification Authority 2

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

T-TeleSec GlobalRoot Class 2

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

Text (current and historic CA certificates)

2016

2014

Zertifizierungsstelle Universitaet Muenster - G02

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN-Verein PCA Global - G01

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Deutsche Telekom Root CA 2

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2014

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

(revoked)

Text (with root)
Text (without root)

(revoked)

2014

2007

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2007

2006

Zertifizierungsstelle Universitaet Muenster (Classic) 2006-2007

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN-Verein PCA Classic - G01

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2005

2004

Zertifizierungsstelle 2004-2005

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN Toplevel Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2003

2002

Zertifizierungsstelle 2002-2003

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

2001

2000

Zertifizierungsstelle 2002-2003

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

DFN Top Level Certification Authority

Import (.der)
Import (.cer)
Binary
Text (.pem)
Text (.crt)
Binary (.p7b)

Text (with root)
Text (without root)

“Community” certificates

 

X.509 intermediate CA

X.509 root CA

X.509 chain (see below.)

2042

2022

DFN-Verein Community Issuing CA 2022

Import (.der)
Import (.cer)
Binär
Text (.pem)
Text (.crt)
Binär (.p7b)

DFN-Verein Community Root CA 2022

Import (.der)
Import (.cer)
Binär
Text (.pem)
Text (.crt)
Binär (.p7b)

Text (mit Wurzel)
Text (ohne Wurzel)

Remarks

The column X.509 chain lists files containing the certificates of the CA of the University of Münster and the superordinate certification authorities, both with and without the respective root certificate. Those who operate Apache WWW servers should download the file without root certificate and indicate this file in the configuration option SSLCertificateChainFile to save the users from importing the CA certificate into their browsers.

Those who operate other SSL/TLS server software should indicate in the configuration first the private key of the server, second the certificate of the server, and third the chain without root. With some software it may be necessary to merge all three parts in this order, perhaps separated by an empty line, into a simple text file and to indicate this file in the configuration.

Usually, the cross certificate and the alternative root certificate should no longer be needed. Only very old software does no longer know the USERTrust root certificates.

OpenPGP

For completeness the OpenPGP keys formerly used for certification are listed here.

 

PGP CA Uni MS

PGP DFN-PCA

 

(Service discontinued by the end of 2011)

(Service discontinued by the end of 2009)

2011 ← 2010

Text

2009 ← 2008

Text

Text

2007 ← 2006

Text

2005 ← 2004

Text

Text

2003 ← 2002

Text

Text

2001

Text

Text

2000

Text

1999

Text
(predecessor)

1998 ← 1997

Text