Security certificates

To better ensure the authenticity and integrity of IT services offered over the Internet, security certificates are used for web servers, for example. Certificates for data processing systems are traced back within a public key infrastructure (PKI) in a "certification hierarchy" to a trusted root certification authority (CA).

The University of Erfurt has joinedthe PKI of the German research network DFN-PKIand uses the possibility of outsourced technical operation of the certification authority "Universitaet Erfurt CA" within the framework of the DFN-PKI service.

The registration authority, which is upstream of the certification authority for organizational tasks, is operated by the University Computer and Media Centre (URMZ) and must adhere to the certification policy of the DFN-PKI (declaration on certification operation and its own declaration can be found here).

Certificates for data processing systems of the University of Erfurt as well as user certificates in justified cases can be issued via this body.

The operation of the certification authority by the DFN is one of the prerequisites for participation in the DFN-PKI at the "Global" security level. The advantage of this security level is that the "authentication hierarchy" is traced back to the trusted root certification authority "T-TeleSec GlobalRoot Class 2", which is already stored in several display programs for Internet content and e-mail programs. On IT systems administered by the University Computer and Media Centre (URMZ), the integration of the corresponding trusted root certification authority is standard.

If you use programmes where the required root certification authority is not yet stored, you have the possibility to turn off security warnings by importing the certificates of the "authentication hierarchy".

To do this, it is best to use the website of the registration authority and import the root certificate, the "DFN-PCA" certificate and the "Universitaet Erfurt CA" certificate in the CA tab one after the other. For this, the root certificate must be accepted at least temporarily until the certificates have been imported. So that invalid certificates of the "Universitaet Erfurt CA" are no longer accepted, you should also install the certificate revocation list.

The correctness of the certificates should be checked by comparing the fingerprints.

Frank Becker
IT-Sicherheitsbeauftragter
(University Computer and Media Centre)