Security certificates

To better ensure the authenticity and integrity of IT services offered over the Internet, security certificates are used for web servers, for example. Certificates for data processing systems are traced back within a public key infrastructure (PKI) in a "certification hierarchy" to a trusted root certification authority (CA).

The University of Erfurt has joinedthe PKI of the German research network DFN-PKIand uses the possibility of outsourced technical operation of the certification authority "Universitaet Erfurt CA" within the framework of the DFN-PKI service.

The registration authority, which is upstream of the certification authority for organizational tasks, is operated by the University Computer and Media Centre (URMZ) and must adhere to the certification policy of the DFN-PKI (declaration on certification operation and its own declaration can be found here).

Certificates for data processing systems of the University of Erfurt as well as user certificates in justified cases can be issued via this body.

The operation of the certification authority by the DFN is one of the prerequisites for participation in the DFN-PKI at the "Global" security level. The advantage of this security level is that the "authentication hierarchy" is traced back to the trusted root certification authority "T-TeleSec GlobalRoot Class 2", which is already stored in several display programs for Internet content and e-mail programs. On IT systems administered by the University Computer and Media Centre (URMZ), the integration of the corresponding trusted root certification authority is standard.

If you use programmes where the required root certification authority is not yet stored, you have the possibility to turn off security warnings by importing the certificates of the "authentication hierarchy".

To do this, it is best to use the website of the registration authority and import the root certificate, the "DFN-PCA" certificate and the "Universitaet Erfurt CA" certificate in the CA tab one after the other. For this, the root certificate must be accepted at least temporarily until the certificates have been imported. So that invalid certificates of the "Universitaet Erfurt CA" are no longer accepted, you should also install the certificate revocation list.

The correctness of the certificates should be checked by comparing the fingerprints.

User certificates

If you are interested in a user certificate, please contact the responsible employee!

User certificates can be used to sign and encrypt your own e-mails. Private and public keys with certificates according to the X.509 standard are used for this purpose. The user's own private key is used to sign the e-mail and the recipient's public key is used to encrypt it. If communication has already taken place, the public key of the communication partner can be stored and used by transferring his mail address into the address book. If no communication has taken place before, the recipient of an encrypted e-mail must provide his public key, either for download or published in a directory ( ). The validity of the user certificate is 3 years, i.e. a new application must then be submitted.

Required steps for the use of user certificates:

  1. Submit an informal application by mail to
  2. Follow the instructions in the invitation mail
  3. Install the certificate sent to you in your Windows or mail program (e.g. in Outlook under File/Options/Trust Center/Settings/E-Mail Security/Standard Settings), store the private key securely (not in freely accessible directories)
Frank Becker
(University Computer and Media Center)
Kommunikations- und Informationszentrum (KIZ)