Validation of certificates

When a certification authority wants to revoke a certificate prior to the expiry of the indicated validity period, it records the serial number of the certificate on a validation server in a Certificate Revocation List.

Validation servers can be used in three ways:

  • On one hand the complete Certificate Revocation List (CRL) in standardized data format can be downloaded in regular intervals (e. g. once a week). When using this procedure possibly one only becomes aware of a revocation after days.

  • On the other hand one can send the serial number of a certificate during validation to the server that responds whether the certificate is still valid: Online Certificate Status Protocol (OCSP).

  • Even better the servers includes into his response the current corresponding OCSP response signed and timestamped by the certification authority: OCSP Stapling.

Addresses for CRL download are included as additional details in the issued certificates and the OCSP address in the certificate of the certification authority. This allows for fully automatic use of the validation mechanisms. CRLs can also be used semiautomatically or manually.

To keep up-to-date, the links in the table below point directly to the validation servers of the certification authorities involved in the operation of the WWUCA.

When you import a CRL this way, your WWW program probably starts to reload the newest version of the CRL from the same address in regular intervals.

When clicking on Import the certificate is downloaded in binary format for automatically importing into your WWW program. When clicking on Text the certificate is downloaded in PEM format for saving.

„TCS“ certificates:

 

X.509 GÉANT TCS

X.509 root CA

X.509 alternative root CA

Now

2021

User RSA certificates:
GEANT Personal CA 4
Import (.crl)

USERTrust RSA Certification Authority
Import (.crl)

AAA Certificate Services
Import (.crl)

User eScience RSA certificates:
GEANT eScience Personal CA 4
Import (.crl)

Code Signing RSA certificates:
GEANT Code Signing CA 4
Import (.crl)

Server RSA certificates:
GEANT OV RSA CA 4
Import (.crl)

Server eScience RSA certificates:
GEANT eScience SSL CA 4
Import (.crl)

Server RSA certificates via ACME:
Sectigo RSA Organization Validation Secure Server CA
Import (.crl)

User ECC certificates:
GEANT Personal ECC CA 4
Import (.crl)

USERTrust ECC Certification Authority
Import (.crl)

User eScience ECC certificates:
GEANT eScience Personal ECC CA 4
Import (.crl)

Server ECC certificates:
GEANT OV ECC CA 4
Import (.crl)

Server eScience ECC certificates:
GEANT eScience SSL ECC CA 4
Import (.crl)

Server ECC certificates via ACME:
Sectigo ECC Organization Validation Secure Server CA
Import (.crl)

„Global“ certificates

 

X.509 WWUCA

X.509 DFN-PCA

X.509 root CA

Now

2016

Import (.crl)
Text (.txt)
Text (.pem)

Import (.crl)
Text (.txt)
Text (.pem)

T-TeleSec GlobalRoot Class 2
Import (.crl)