Source: Own illustration
The time has come! Since April 1, 2025, user certificates (S/MIME) can again be requested in the RA-Portal. After our previous certificate provider, Sectigo, terminated its contract on January 10, 2025, we now have a new provider. The German Research Network (DFN) and GÉANT have contracted a new provider for public-key certificates. The choice fell on the Greek trusted provider HARICA (Hellenic Academic & Research Institutions Certification Authority). HARICA is a certification authority of the Greek university network GUnet, is specially optimized for research institutions and meets the highest security standards.
What Does This Mean for You?
Not much will change for you as a user, since the RA-Portal user interface remains the same. The S/MIME root certificate from HARICA is automatically included in common browsers and e-mail applications. This means that the issued user certificates issued are automatically trustworthy.
None of the root certificates used by RWTH for user certificates is directly included in the default settings of Adobe Acrobat. This means that all three root certificates (from DFN, Sectigo and HARICA) must be manually installed and declared as trustworthy in Adobe Acrobat. This must be done by both the person signing and the person verifying a digitally signed PDF file. Detailed instructions for configuring trusted certificates and electronic signatures in Adobe can be found on the IT Center Help page.
Another temporary change in the course of the migration to HARICA user certificates concerns the “Firstname Surname” field in the user certificate. This may no longer contain special characters such as umlauts. For example, the name “Jürgen Müller” in the certificate becomes “Juergen Mueller”. In RA-Portal the name “Jürgen Müller”, as read in from Identity Management data, is automatically transcribed to “Juergen Mueller” before being submitted to the certification authority. The transcribed name is displayed for review and confirmation. Now you can also choose in RA-Portal whether the user certificate should be issued with your full first name or with your preferred first name, as entered in RWTH Selfservice.
If you still have valid Sectigo or DFN user certificates, there is no need for action. All existing Sectigo and DFN certificates remain valid until their expiration date. After that, new user certificates can be applied for in RA-Portal (and by HARICA). You can find detailed instructions on how to apply for certificates in RA-Portal on IT Center Help.
Server Certificates
In addition to user certificates, server certificates can also be issued via HARICA. For server certificates, the server administrators must implement the new HARICA TLS chain. The HARICA TLS root certificates are preinstalled in all common browsers.
Identity Verification
Employees and students still do not need to have their identity verified in order to apply for a user certificate, as the RA-Portal automatically retrieves your authorization from the Identity Management system. All other applicants must undergo a one-time identity verification at the IT ServiceDesk.
Responsible for the content of this article are Janin Iglauer, Hannah Loock, Nils Neumann and Ekaterini Papachristou.
The following sources served as the basis for this article:
Leave a Reply