Public Key Certificates (as defined by X.509) can be used to verify the identity of the owner, and eventually other properties (e.g. email or organisation), of a public cryptographic key (refer to public key cryptography for more technical information).

The cryptographic keys of (TLS/SSL) server certificates allow relevant applications to set up end-to-end encryption between the user application and the server (e.g. TLS, for HTTPS in a Browser, or IPsec for VPN, or SSH).

The RWTH Registration Authority "RWTH RA" is part of the DFN-PKI (Public Key Infrastructure).

The certificate applicant must be associated to the RWTH Aachen University.

Webserver certificates for the RWTH are issued:

• 16.12.2022-09.01.2025 by Sectigo CA as part of the GÉANT/TCS (Trusted Certificate Service).
• Starting on 07.02.2025 by Harica CA as part of a new DFN contract.

The implemented certificate chains end at a built-in Token:

• for Sectigo (GÉANT/TCS) several certificate chains are applicable, they all end at the root certificate "AAA Certificate Services" of "Comodo CA Limited".
• Harica: for RSA-keys the certificate chain ends in the root certificate "Hellenic Academic and Research Institutions RootCA 2015".
• Harica: for Elliptic Curve-keys the certificate chain ends in the root certificate "Hellenic Academic and Research Institutions ECC RootCA 2015".

Root certificates (or built-in Tokens) are anchored within standard browsers and other relevant applications (that is, they belong to the SW installation), thus enabling the automated validation of the certificates lower down the chain.

All server certificates issued by Sectigo (GÉANT/TCS) and Harica have following "Key Usages" (X509v3 extensions):

• X509v3 Key Usage: critical
  • Digital Signature, Key Encipherment
• X509v3 Extended Key Usage:
  • TLS Web Server Authentication, TLS Web Client Authentication

All server certificates are valid for 365 days (as of 10.01.2025).