Skip to content

Server certificates with GÉANT TCS

We recommend to automate issuance of server certificates using Let’s Encrypt with acme4netvs.

If this is not an option for you (e.g. because the server can’t connect to the internet), you can also request certificates using GÉANT TCS.

Available Certificate Profiles

The following certificate profiles are available via TCS:

Profile Certificate Term Available Key Types
OV Multi-Domain 365 days Elliptic Curve (EC) P-256 (256 bit), P-384 (384 bit), RSA 2048 bit, 3072 bit, 4096 bit
IGTF Multi-Domain 395 days Elliptic Curve (EC) P-256 (256 bit), P-384 (384 bit) RSA 2048 Bit, 3072 Bit, 4096 Bit, 8192 Bit

Warning

IGTF Multi-Domain is specially designed for the grid environment and reserved for this use. The authorization for this is checked by us before issuance.

Request Process

  1. Create a Certificate Signing Request (CSR) with all domains required in the certificate as Subject Alternative Name (SAN). The Common Name (CN) can be any domain. Make sure that the Private Key corresponds to one of the key types listed above, otherwise the certificate cannot be issued.
  2. Send the CSR with by mail to ca@kit.edu. The mail must meet the following conditions:
    • The mail must be S/MIME signed by a person authorized for the domain.
    • [TCS Certificate Request] at the beginning of the subject line.
    • The mail address that should receive the completed certificate and notifications about it must be explicitly specified in the mail body.
    • Optional: We appreciate a short explanation why Let’s Encrypt is (currently) not an option for you.
  3. We issue the certificate after checking the permissions.
  4. You will receive a download link to the certificate and the certificate chain by mail from support@cert-manager.com.

Note

If the system previously used a certificate from DFN-CA Global and the operated software does not use the certificate store of the operating system, the certificate chain must be imported. A download link for the certificate chain is part of the certificate mail. This is often the case with Java software, for example.