Skip to content

Server certificates with GÉANT TCS

We recommend to automate issuance of server certificates using Let’s Encrypt with acme4netvs.

If this is not an option for you (e.g. because the server can’t connect to the internet), you can also request certificates using GÉANT TCS.

Validity period of server certificates in the future

The validity period of server certificates will gradually decrease to 47 days in the coming years. Server certificates without automation will no longer be a time-efficient option by 2027, at the latest by 2029. Manually issued, globally trusted server certificates will most likely gradually disappear. Please urgently inform yourself about ACME and implement it for your TLS-enabled services.

Request Process

Your certificate request will only be accepted if one of the following prerequisites holds for every FQDN

  1. You are an IT commissioner (ITB) for the OU that’s associated with the FQDN OR
  2. You have edit rights for the FQDN inside NETVS

Create an account with HARICA

Only if you do not yet have a HARICA account

You can skip this step if you already have a suitable HARICA account.

Create an account with HARICA. Use an email address that belongs to your KIT account and meets the above verification criteria. To do this, go to the HARICA registration page and create an account.

DO NOT use Academic Login

Academic Login does not work here, or at least not completely. Please do not attempt to create an account this way.

Submit certificate request

Log into HARICA Certificate Manager.

Select 🔒 Server on the left side:

Enter all domain names for your certificate. If not required, deselect the option Include www….

According to our tests, the import function is pretty fragile. You are welcome to try uploading an existing request there. If this fails, you will unfortunately have to enter it manually.

Select one of the Free options:

Now please click through until you reach the last section, Submit Request:

You now have two options:

  1. You can generate the secret key in the browser OR
  2. You can generate the secret key locally or directly on the server.

Some software only supports the second option, as it generates the key itself and there is no export option for it.

Instructions for creating keys and requests with common software can be found here..

1. Key generation in the browser

Unless you need to support ancient or otherwise limited devices (such as embedded hardware), choose ECDSA as the algorithm with a key size of 256. Otherwise, choose RSA with a key size of 3072.

Set a password for the private key, check both boxes, and click Generate Private Key, CSR, and submit order.

In the second step, download the private key:

2. Key generation on device

Paste the contents of your certificate request into the text field, check the box below, and click Submit request.

The new request will now appear in the Dashboard under Pending Certificates.

We will issue the certificate after checking the above-mentioned approval conditions. You will be notified by email from HARICA and can then open the download dialog for the certificate in the dashboard (-icon to the left of ).

Here you can download the certificate (and the chain) in various formats. What exactly you need depends on the software you are using. If necessary, consult the relevant documentation.

This is where you can also revoke your certificate yourself or add additional email addresses that will be notified when the certificate expires.