skip to content

Server certificates

In the web area, you can recognize encryption by the protocol name "HTTPS". The server needs a certificate to be able to identify itself as 'legit' to the requesting client. 

Since the end of 2015, there has been a free certificate authority called Let's Encrypt. This is represented in the common browsers and e-mail programs, so visitors to websites that are operated with Let's Encrypt-based certificates do not receive any security warnings, as would be the case with so-called self-signed certificates. The RRZK also uses this service for the majority of the web servers it operates, so that certificates are automatically renewed and in some cases also generated. Newly created web presences, which are administrated by us (e.g. web projects, TYPO3 pages), automatically receive a certificate from Let's Encrypt and are thus accessible via https(-only).

If you operate your own web server, for example a virtual machine at the RRZK, we recommend using Let's Encrypt for this as well.


Web server (hosted by RRZK)

For new web presences on the central web servers of the RRZK you will automatically receive a certificate from Let's Encrypt (see above).  A subsequent conversion of a web project hosted at the RRZK to "SSL" with Let's-Encrypt certificates is possible, but this may involve some work for you as the maintainer of the project, depending on the exact circumstances (conversion of all links to "https"). In this case please contact the webmaster team. 

Self-operated servers

In case of a self-operated web server we recommend the use of a certificate from Let's Encrypt (see above). Instructions for this can be found in numerous places on the net.

If the use of Let's Encrypt is out of the question (e.g. for servers that should only be accessible internally) or if you want to use a certificate from the DFN-affiliated UniKoelnCA for other compelling reasons, please proceed as follows: Request file and key have to be created by yourself. You can use "OpenSSL" for this purpose. A request must contain the name of the server as CommonName (CN) as it will be called i.e. via web browser.

Example: Call for the server "" (one long line):


openssl req -newkey rsa:4096 -out req.pem -keyout key.pem -subj '/ of Cologne/L=Koeln/ST=North Rhine-Westphalia/C=DE'.


Keep the "key.pem" file secret, the "req.pem" file is to be used when interfacing with the CA with the certificate request. You will have to identify yourself using your university account. Then at "Select Enrollment Account" please choose the option "UzK General".

If you have any questions or problems, please contact the RRZK-Helpdesk