At the end of January 10, 2025, the service provider Sectigo stopped issuing certificates (server, user and code signing certificates) for all GÉANT TCS customers. This affects a large number of (research) institutions in Europe, including many in Germany, as well as the University of Hohenheim.

There is already a new provider and we have made the appropriate preparations. New functions are currently being implemented. As soon as server or user certificates can be requested and issued again, we will provide information and update this website. In urgent cases, please contact us by e-mail.

What are server certificates used for?

Server certificates are used to enable a secure connection between server and client, for example, when sensitive data is to be transferred over a public network. The best-known example is the web server. Secure connections start with an https and are specially highlighted in the address bar of browsers.

Please note! Important IT security message

The German Federal Office for Information Security (BSI) strongly recommends the use of SSL/TLS certificates with a key length of at least 3072 bits (but no more than 4096 bits) in guideline TR-02102-2 ((https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html). A longer key length offers a higher level of security against cryptographic attacks.

Therefore, please check whether your current SSL/TLS certificates (server certificates) have a sufficiently large key length. If you are currently using server certificates with a smaller key length, we recommend that you migrate to server certificates with a key length of at least 3072 bits as soon as possible.

Please note that the private key must also be replaced. The script (certificateapplication.sh) on login.uni-hohenheim.de has now been adapted to a key length of 4096 bits.

FAQ

WebForm

The validity is 365 days (1 year).

Yes! You will receive the first reminder 30 days before your certificate expires. The second reminder will be sent 14 days before your certificate expires.

Please do not request a certificate! First, send us an email with the note "Missing account" and the FQDN (e.g. server1.subdomain.uni-hohenheim.de) of the server to be certified to kim-pki@uni-hohenheim.de. We will create an account for you and inform you when it has been created. After this, you can select your institute/department under "Select Enrollment Account".

When creating the CSR using our certificateapplication.sh script (as described in our instructions under “Prerequisites / Preparations” ), the private key is usually stored in your home directory (CIFS) /home/[first letter of username]/[username]/[specified FQDN of server]/.
If you did not use the above script and generated your CSR and private key yourself, you will find the private key in your self-specified directory.

ACME

If you receive the following or a similar error message, you are not authorized to obtain a certificate for the named (sub)domain. Check the mentioned (sub)domain for spelling mistakes or submit an application for the domain via kim-pki@uni-hohenheim.de.

acme.messages.Error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The identifiers are not all linked to the same preauthorized Subject organization name/address
2023-03-30 17:12:48,832:ERROR:certbot._internal.log:An unexpected error occurred:
2023-03-30 17:12:48,832:ERROR:certbot._internal.log:The identifiers are not all linked to the same preauthorized Subject organization name/address

Do you have questions or comments about this site? contact form

Do you have any questions?

send us an email to

kim-pki@uni-hohenheim.de