Server certificates

Background information

This service is based on the DFN-PKI service of the DFN. The current version of this service is based on the TCS offer from GÉANT. The technical basis for this is regularly put out to tender and is currently provided by HARICA.

Requirements

The issuance of certificates is subject to technical and organisational requirements. These are defined by the specifications provided by HARICA.

With regard to the technical requirements for keys and certificates, please also refer to the TLS guidelines of IT Security.

In order to comply with these rules and apply them to the conditions at TU Darmstadt, the rules for certificate release (opens in new tab) (German version only) apply here.

The organisational requirements can be roughly summarised as follows:

  • Certificates are only issued to employees and members of TU Darmstadt.
  • Persons may apply for certificates for host names in domains in which they are registered as domain representatives.
  • Other persons require authorisation from the relevant department or the domain representative to apply. An informal letter with a stamp from the relevant department or, for example, an informal email from a domain representative to is sufficient.

Application methods

In principle, server certificates can be issued in two different ways:

  • ‘classic’ via a web form and manual approval
  • via the ACME protocol

The processes for approving or creating an ACME account are documented in the process description (opens in new tab) (German only).

The following steps explain how to request a certificate.

Step 1: Generate a certification request (CSR) according to the pattern below:

  • C=DE, ST=Hessen, L=Darmstadt, O=Technische Universitaet Darmstadt
  • CN= (Servername), Beispiel: www.hrz.tu-darmstadt.de

You can find a detailed instruction in the DFN Blog post (German only).

Step 2: Log in to the HARICA system using the 'Academic Login'. In the left-hand menu, under 'Certificate Requests', select 'Server'. You will be guided through the application process. For the 'Product', choose 'For enterprises or organisations (OV)'. The HRZ will automatically be notified of the new request.

Step 3: After successful verification, the certificate is generated and sent to the specified e-mail address.

Step 4: Import the certificate into the application.

You can also have certificates issued automatically via the ACME protocol.

In contrast to Let's encrypt, for example, you have to register with us once for each ACME client. This means that validation is no longer necessary when issuing certificates (e.g. for servers that cannot be reached from the Internet) and the certificates contain a reference to the relationship with TU Darmstadt (organisation validation).

Further technical details, e.g. on configuration, can be found in the DFN-FAQ on TCS.

Step 1: Apply for ACME access using the appropriate form . To do this, you must first authenticate yourself with your TU-ID.

Step 2: We will check your application and then send you the necessary access data.

Step 3: You configure your ACME client (e.g. certbot). We have summarised the details on the ACME configuration page.

Step 4: The ACME client can then automatically issue and renew certificates.