Server certificates

Change of provider for certificate issuance

Please note that since 10.01.2025, a new certificate provider called HARICA has replaced the previous provider Sectigo. We are currently updating the documentation and instructions on this site. Not all new processes have been finalised yet. We ask for your understanding that the update may therefore be somewhat delayed.

With HARICA, server certificates can be requested manually after logging in via SSO with ‘Academic Login’ under ‘Certificate Requests’ → ‘Server’.

Currently the creation of ACME accounts is not possible. This functionality has been announced to be released in the first half of 2025. We will update this information as soon as possible.

Background information

This service is based on the DFN-PKI service of the DFN. The current version of this service is based on the TCS offer from GÉANT. The technical basis for this is regularly put out to tender and is currently provided by Sectigo through its Sectigo Certificate Manager (SCM) service.

Requirements

The issuing of certificates is linked to technical and organisational requirements. These are mapped by the specifications of TCS and the rules of SCM.

With regard to the technical requirements for keys and certificates, please also refer to the TLS guidelines of IT Security.

In order to comply with these rules and apply them to the conditions at TU Darmstadt, the rules for certificate release (opens in new tab) (German version only) apply here.

The organisational requirements can be roughly summarised as follows:

  • Certificates are only issued to employees and members of TU Darmstadt.
  • Persons may apply for certificates for host names in domains in which they are registered as domain representatives.
  • Other persons require authorisation from the relevant department or the domain representative to apply. An informal letter with a stamp from the relevant department or, for example, an informal email from a domain representative to tud-ca@hrz.tu-darmstadt.de is sufficient.

Application methods

In principle, server certificates can be issued in two different ways:

  • ‘classic’ via a web form and manual approval
  • via the ACME protocol

The processes for approving or creating an ACME account are documented in the process description (opens in new tab) (German only).

The following steps explain how to request a certificate.

Step 1: Generate a certification request (CSR) according to the pattern below:

  • C=DE, ST=Hessen, L=Darmstadt, O=Technische Universitaet Darmstadt
  • CN= (Servername), Beispiel: www.hrz.tu-darmstadt.de

You can find a detailed instruction in the DFN Blog post (German only).

Step 2: Upload on the TCS application page and enter the required data. To do this, you must authenticate yourself with your TU-ID and the request will be linked to your personal e-mail address. It is also advisable to enter a non-personal address (e.g. functional address) as an ‘external requester’. The university computing centre will be informed about the new request automatically.

Step 3: After successful verification, the certificate is generated and sent to the specified e-mail address.

Step 4: Import the certificate into the application.

You can also have certificates issued automatically via the ACME protocol.

In contrast to Let's encrypt, for example, you have to register with us once for each ACME client. This means that validation is no longer necessary when issuing certificates (e.g. for servers that cannot be reached from the Internet) and the certificates contain a reference to the relationship with TU Darmstadt (organisation validation).

Further technical details, e.g. on configuration, can be found in the DFN-FAQ on TCS.

Step 1: Apply for ACME access using the appropriate form . To do this, you must first authenticate yourself with your TU-ID.

Step 2: We will check your application and then send you the necessary access data.

Step 3: You configure your ACME client (e.g. certbot). We have summarised the details on the ACME configuration page.

Step 4: The ACME client can then automatically issue and renew certificates.