A certification body confirms the "authenticity" of (WWW)servers, i.e. they guarantee that a certain (WWW)server is really operated by a particular institution. This is necessary, in order to be able to ensure the confidentiality of the data transferred between user and server.
Normally, all information on the internet is transferred unencrypted, this means that anyone can read it. For confidential information – these include, in particular, passwords for User IDs – it should be guaranteed that
- the information is transferred to the correct recipient
- only the correct recipient can read the information
- the information cannot be changed during the transfer process.
In the WWW the confidentiality of the information transferred is achieved with so-called secure connections. All current browsers can establish secure connections to a WWW server. You can recognise a 'WWW page' that is called up via a secure connection by the fact that its WWW address begins with 'https:' instead of http:. You can recognise a secure connection in your browser if you have a closed lock symbol, e.g. in the footer of your browser window.
To ensure that your browser can establish a secure connection to a WWW server, it must first be able to establish the 'identity' of the server. To do this, the WWW server shows the browser a certificate that gives information about the operator of the server and the issuer of the certificate. This is where the certification authority that issues the certificate for the server comes into play. Even certification authorities themselves have a certificate that may be issued by a further certification authority ('parent certification authority'). In this way, there is a so-called certification path from the certificate of the server to a so-called root certification authority whose certificate is no longer issued by a further certification office.
The secure connection will only be established without further queries if the browser can follow the certification path back to a (root) certification authority that it regards as trustworthy. Otherwise, you will receive a warning and then have to decide if you allow the connection. Your browser has already pre-installed a list of trustworthy certification authorities; if necessary you can add further certification authorities.
DFN Association (via the service DFN-PKI) since March 2007. The advantage for server operators at the university who need a certificate is that they can apply for this simply via a web interface. After personal identification of the applicant in the ZIM, the certificate is generated at short notice and then sent to the applicant by e-mail.
The advantage for all users who want to access the server of the University of Passau securely is that normally the installation of a root certificate in the browser is no longer necessary because the certificate issued by the UNI-PASSAU CA - G2 is integrated in the DFN certification hierarchy and therefore categorised as trustworthy by most current browsers.
Here we have summarised detailed information about the procedure for applying for a server certificate.
The document 'SSL-protected connections with the ‘Internet Information Server’ (IIS) under Windows Server 2003' gives information about the installation of certificates under Windows server operating systems.
A server certificate issued by UNI-PASSAU CA - G2 is valid for two years and has to be reapplied for after this time period.
Please note also the Information of the DFN PKI on certificate transparency.