As a participant of ACOnet we have the possibility to get certificates (server, code signing and email) for free.
The service is based on a contract between Sectigo Ltd. (Roseland, NJ, USA) and GÉANT (formerly TERENA), the association of European scientific networks (the so-called NRENs), which ACOnet (the operator of the Austrian scientific network and thus provider of Graz University of Technology) has also signed.
Existing certificates from DigiCert remain valid until expiration, but if you import new certificates, you must also import the corresponding certificate from Sectigo and the associated intermediate certificate from GÉANT!
The following applies:
| We therefore strongly advise against requesting and processing credit card data without professional processing software! |
With the exception of e-mail certificates, all certificates are issued only upon request by IT officers; for OV multidomain SSL certificates for institutes, a web interface is available for this purpose.
NoteEncryption (e. g. HTTPS) says nothing about the security of the data itself, nor about what, for example, the recipient will do with the data (store it unencrypted, publish it, sell it, …), but only something about how the data is transferred from the client (e. g. your browser) to the server (e. g. a bank website).And even with HTTPS, there are different levels of security that you should take care. However, this means that there are quite a few points of attack:
|
SSL or TLS Server Certificates
SSL or TLS server certificates are required, among other things, for encrypting communication with web servers (https instead of http).
In addition to simple certificates for individual servers, there are also multi-domain certificates (one certificate for several virtual servers on a common hardware), but also wildcard certificates (of the type *.institut.tugraz.at).
Due to specifications by the CA/B Forum (an association of browser manufacturers) there are 3 types of server certificates:
Since EV certificates no longer offer any advantage over OV certificates in the browser display, but require significantly more effort to register, we now only support OV certificates.
In the meantime, there are no more OU entries, i.e. only the organization (TU Graz), but no more institutes are listed in the certificate. Also the city (Graz) is dropped, the province (Steiermark/Styria) will still be possible.
Ordering of certificates is done by IT officers via https://ssl.tugraz.at/, the link given there must not be passed on, as the applications are validated automatically.
Our new provider also supports the ACME protocol (known from Let's Encrypt), if you want to use this with Certbot, please contact the TCS administrators.
If browsers do not know the root certificate, you can download it from the GÉANT homepage and install it in the client - if the "certificate chain" (server and intermediate or root certificate) is correct on the server, the server certificate should then be accepted by the client (the browser or the email program, etc.).
Code signing certificates must be requested via the TCS administrators, you will then receive a link to order the certificate in self service.
As a identified member of Graz University of Technology (persons with a service/legal relationship or students), you can apply for free personal email certificates via the TCS in order to be able to sign or also encrypt e-mails via S/MIME. However, these certificates are only available for identified persons of Graz University of Technology.
Furthermore, we are only allowed to issue certificates (regulated by the contract) for e-mail addresses for which we can centrally guarantee the assignment of the e-mail address ⇆ person, this only applies to addresses on the two central e-mail servers of TU Graz.
If both a student and a staff address are stored in the system, then (currently) a certificate can only be requested for the staff address.
