skip to content

Server certificates

In the web area, you can recognize encryption by the protocol name "HTTPS". The server needs a certificate to be able to identify itself as 'legit' to the requesting client. 

Since the end of 2015, there has been a free certificate authority called Let's Encrypt. This is represented in the common browsers and e-mail programs, so visitors to websites that are operated with Let's Encrypt-based certificates do not receive any security warnings, as would be the case with so-called self-signed certificates. The RRZK also uses this service for the majority of the web servers it operates, so that certificates are automatically renewed and in some cases also generated. Newly created web presences, which are administrated by us (e.g. web projects, TYPO3 pages), automatically receive a certificate from Let's Encrypt and are thus accessible via https(-only).

If you operate your own web server, for example a virtual machine at the RRZK, we recommend using Let's Encrypt for this as well.


Web server (hosted by RRZK)

For new web presences on the central web servers of the RRZK you will automatically receive a certificate from Let's Encrypt (see above). If, for compelling reasons, you would like a certificate from the DFN-affiliated UniKoelnCA instead, please contact the CA Master Team and make an appointment. Please bring your identity card with you. The key remains in the hands of the RRZK.

A subsequent conversion of a web project hosted at the RRZK to "SSL" with Let's-Encrypt certificates is possible, but this may involve some work for you as the maintainer of the project, depending on the exact circumstances (conversion of all links to "https"). In this case please contact the webmaster team. The subsequent conversion to SSL with DFN certificates is associated with significantly higher effort and is usually not carried out.

Self-operated servers

In case of a self-operated web server we recommend the use of a certificate from Let's Encrypt (see above). Instructions for this can be found in numerous places on the net.

If the use of Let's Encrypt is out of the question (e.g. for servers that should only be accessible internally) or if you want to use a certificate from the DFN-affiliated UniKoelnCA for other compelling reasons, please proceed as follows: Request file and key have to be created by yourself. You can use "OpenSSL" for this purpose. A request must contain the name of the server as CommonName (CN) and the name of your institution (without umlauts) as Organisational Unit (OU).

Example: Call for the server "" of the "Institute for Web Design" (one long line):


openssl req -newkey rsa:2048 -out req.pem -keyout key.pem -subj '/ for Web Design/O=University of Cologne/L=Koeln/ST=North Rhine-Westphalia/C=DE'.


Keep the "key.pem" file secret, the "req.pem" file is to be used when interfacing with the CA with the certificate request. Then report to the RRZK helpdesk for personal authentication. For this purpose, bring your ID card and the written application.

If you have any questions or problems, please contact the RRZK-Helpdesk