What are certificates for webservers?
Server operators can apply for a server certificate to enable users of their server to establish a secure connection to the server. Such certificates are primarily used to identify WWW servers whose address begins with https:// instead of http://, but also e-mail servers and other servers to which an encrypted connection can be established using Transport Level Security (TLS, formerly SSL).
The RWTH Certification Authority works within the framework of the Public Key Infrastructure (PKI) of the DFN Association (German Research Network) to support science, research and teaching.
RWTH obtains its web server certificates from the GÉANT Trusted Certificate Service; the current certificate provider is Harica. Applications are made via the RA portal.
Certificate chains:
- Sectigo (GÉANT/TCS): several certificate chains are applicable, they all end at the root certificate "AAA Certificate Services" of "Comodo CA Limited".
- Harica: for RSA-keys the certificate chain ends in the root certificate "Hellenic Academic and Research Institutions RootCA 2015".
- Harica: for Elliptic Curve-keys the certificate chain ends in the root certificate "Hellenic Academic and Research Institutions ECC RootCA 2015".
Root certificates are automatically supplied with common browsers and other relevant applications (during SW installation or update). This means that the server certificates issued can be validated worldwide.
The server certificates issued by Sectigo and Harica all have exactly the following “key usages” (X509v3 extensions):
- X509v3 Key Usage: critical
- Digital Signature, Key Encipherment
- X509v3 Extended Key Usage:
- TLS Web Server Authentication, TLS Web Client Authentication
All server certificates are valid for 365 days (as of 10.01.2025).