Certification Authority of the University of Cologne

Certificates serve to protect confidential data. During transmission, data is protected against unwanted access by automatic encryption. In the web area you can recognize an encryption by the protocol name 'HTTPS'. The server needs a certificate to identify itself to the requesting client as 'authentic'. To guarantee the authenticity of a certificate, it is signed and published by so-called 'certification authorities' (CA).

Let’s Encrypt

Since the end of 2015, the free and open-source certification authority Let's Encrypt has been in existence. It is represented in all common browsers and e-mail programs, so visitors to websites operated with Let's Encrypt-based certificates do not receive security warnings, as would be the case with so-called self-signed certificates. The RRZK also uses this service for the majority of its web servers, so that certificates are automatically renewed and sometimes generated. Newly created web presences that are administered by us (e.g. web projects, TYPO3 pages) automatically receive a certificate from Let's Encrypt and are therefore accessible via https(-only).

If you are running your own web server, for example a virtual machine at the RRZK, we recommend to use Let's Encrypt for this as well. You can easily find instructions for the setup on the net.

About the Certification Authority (CA) of the University of Cologne

The RRZK also operates a CA within the DFN-Verein. Certificates of the CA University of Cologne are also known to the common browsers and e-mail programs due to their connection to DFN-Verein and Deutsche Telekom. Therefore you should not receive any warnings.

Issued or revoked certificates of the CA of the University of Cologne.

In most cases, it is not necessary to import root certificates, as these are pre-installed as trusted certificates in the common operating systems. If an import is nevertheless necessary, you can obtain it via the interface of the University of Cologne CA. Follow the instructions of the DFN.

Applying for certificates

Certificate for usage in a web server hosted by RRZK

You will automatically receive a certificate from Let's Encrypt (see above) for new web presences on the central web servers of the RRZK. If you would like a certificate from the UniKoelnCA connected to the DFN instead for compelling reasons, please contact the CA-Master-Team and make an appointment. Please bring your identity card with you. The key remains in the hands of the RRZK.

A subsequent conversion of a web project hosted at the RRZK to 'SSL' with Let's-Encrypt certificates is possible, but depending on the exact circumstances, some work may be necessary for you as the project manager (conversion of all links to 'https'). In this case please contact the Webmaster-Team. The subsequent changeover to SSL with DFN certificates involves much more effort and is usually not carried out anymore.

Certificate for use in a self-operated server

In case of a self-operated web server, we recommend the use of a certificate from Let's Encrypt (see above). Instructions for this can be found on the Internet.

If the use of Let's Encrypt is out of the question (e.g. for servers that should only be accessible internally) or if you want a certificate from the UniKoelnCA connected to the DFN for other compelling reasons, proceed as follows: Create the request file and key yourself. You can use 'OpenSSL' for this. A request must contain as CommonName (CN) the name of the server and as Organisational Unit (OU) the name of your institution.

Example: Call for the server 'webdesign.uni-koeln.de' of the 'Institut für Webdesign' (one long line):

openssl req -newkey rsa:2048 -out req.pem -keyout key.pem -subj '/CN=webdesign.uni-koeln.de/OU=Institut fuer Webdesign/O=Universitaet zu Koeln/L=Koeln/ST=Nordrhein-Westfalen/C=DE'

You keep the 'key.pem' file secret, the 'req.pem' file is to be used with the certificate request at the interface to the CA. Then contact the RRZK helpdesk for personal authentication. Please bring your identity card and the written application with you.

Personal certificates

Please note that due to the closed helpdesk on site, personal certificates can currently only be applied for with significantly increased effort! However, if you absolutely need a personal certificate, please contact camaster@uni-koeln.de immediately after submitting your application.

We issue certificates for "uni-koeln.de" e-mail addresses (including subdomains such as 'wiso.uni-koeln.de') to employees of the University of Cologne. With these certificates, e-mails and documents can be sent signed and received encrypted. The encryption is carried out according to the S/MIME standard. For personal authentication, please contact the RRZK helpdesk with your identity card and the written application after you have received it by filling out the following form:

Interface for users and administrator certificates

You can find further information and instructions at:

https://rrzk.uni-koeln.de/en/e-mail-accounts/electronic-signatures

Contact
If you have any questions or problems, please contact the RRZK-Helpdesk