CA certificates
The tables below list all ever used X.509 certificates of the University Certification Authority Münster as well as the respective superordinate certification authorities in different formats. The years indicate the periods of use, not the periods of validity.
For security reasons certificates are always used for a limited period only as specified in the certification policies. Thereafter new certificates are used. The old certificates remain valid until their end of life, however, and are still needed to check the certificates issued with them.
When clicking on Import the certificate is downloaded in binary format for automatically importing into your WWW program. When clicking on Binary the certificate is downloaded in the same format but for saving as file. When clicking on Text (.pem) or Text (.crt), the certificate is downloaded in PEM format for saving with the indicated file name extension. When clicking on Binary (.p7b), the certificate is downloaded in PKCS#7 format for saving with the indicated file name extension.
PDF certificates
The digital PDF IDs are signed directly by the root certificate of our own PDF CA, so there is no hierarchy or chain.
|
PDF CA (root CA) |
|---|---|
Now |
Import (.der) |
“TCS” certificates
GÉANT TCS uses different CA certificates from different contractors for different key types (RSA, ECC), different certificate purposes (person, code signing, server), different scopes of application (normal, eScience), different request paths (normal, ACME) and different time periods (2021→2025, 2025→now).
The root certificates are built into all current programs. Very old software does not yet recognize newer root certificates, which is why such root certificates are cross-certified by older root certificates. (Only) If you need very old software to be able to establish connections to your server, you should use the chain with the cross-certificate.
“Global” certificates and predecessors
These hierarchies were in use until end of 2024.
“Community” certificates
|
intermediate CA |
root CA |
chain (see below.) |
|---|---|---|---|
2042 |
DFN-Verein Community Issuing CA 2022 |
DFN-Verein Community Root CA 2022 |
Remarks
The column chain lists files containing the certificates of the CA of the University of Münster and the superordinate certification authorities, both with and without the respective root certificate. Those who operate Apache WWW servers should download the file without root certificate and indicate this file in the configuration option SSLCertificateChainFile to save the users from importing the CA certificate into their browsers.
Those who operate other SSL/TLS server software should indicate in the configuration first the private key of the server, second the certificate of the server, and third the chain without root. With some software it may be necessary to merge all three parts in this order, perhaps separated by an empty line, into a simple text file and to indicate this file in the configuration.
Usually, the cross certificate and the alternative root certificate should no longer be needed. Only very old software does no longer know the USERTrust root certificates.