Service Server certificates

New provider for server certificates

As of 02.03.2023, the URZ is issuing new certificates via the CaeSaR platform. All texts have been updated accordingly.

Certificates for encrypted connections to decentralized servers

Server certificates are used to verify the identity of a system to requesting clients. This protective measure is required for all publicly accessible remote server systems, and strongly recommended for systems that can be accessed internally.

The certificates are made available by DFN-Verein via the TCS (Trusted Certificate Services) service of the European research network GÉANT and provided by the cybersecurity provider Sectigo. The URZ is the local contact and registration point for the issuing process. These certificates enable you to establish encrypted connections (https) to the decentralized server and are recognized by all major browsers and email clients.

CaeSaR: Service for certificate request submission (only from the university network)

Target group

IT representatives
EDP representatives
Certificate representatives
URZ employees

Use

Ability to obtain certificates for secure, encrypted connections to a remotely located server

Access and requirements

The following requirements must be fulfilled to be able to request a certificate:

The person requesting the certificate must be registered as an IT representative, an EDP representative, a certificate representative or be an employee at the URZ.
A Certificate Signing Request (CSR) must be prepared.

For a detailed description of the certificate issuing process, please refer to the linked instructions.

How-to: Create a server certificate

Frequently Asked Questions

Table filters

Table

Can certificates with IP addresses be created?	This is unfortunately only available with a great deak of time and effort, as the corresponding IP must be enabled manually and with the approval of several parties. Please contact us by mail at it-security[at]urz.uni-heidelberg.de if it is a technical requirement for you to be issued such a certificate.
How do I become a certificate representative? What rights come with this role?	As with the IT and EDP officers, this designation is made by the management of the institute. In the coming days, we will publish detailed instructions and a corresponding registration form. Certificate representatives can log on to the CSR submission platform CaeSaR where they can submit CSRs.
My browser isn't connecting to CaeSaR. What's going on?	Is your computer connected to the university network, either physically or through a VPN? For security reasons, CaeSaR can only be reach through internal IPs.
Which profiles are supported by the new certificates?	All certificates support ServerAuth and ClientAuth for the certificate purpose.
How do a get a certificate chain?	The certificate chain will also be linked in the email sent to download the certificate.
What technical changes come with the new certificates?	The new certificates only contain the primary attributes CN, O, ST, C. The attribute ST contains an umlaut ("Baden-Württemberg") which may lead to validation problems. Please check the new certificates prior to the changeover and factor in some lead time a test system.
How do I revoke my own certificate?	To revoke a certificate, please go to the linked page. Select option 2a if you wish to continue using the private key and 2b if the key is to be replaced. If the methods offered there are not sufficient, please contact it-sicherheit[at]urz.uni-heidelberg.de with the certificate IDs of the certificates to be revoked.

How-tos

How-to

Create a server certificate

The following how-to explains how you can create a server certificate.

Deutsch

Contact