Certificates

Scientific and educational institutions may purchase server and personal certificates from an external provider through DeiC at a discount. DeiC also offers assistance with the installation and renewal of certificates from both commercial providers and Let's Encrypt.

Types of Certificates Facilitated by DeiC and Their Purpose

The lifespan of certificates may significantly decrease in the near future. Both Google and Apple have proposed reducing certificate validity periods to 90 days, with Apple suggesting a reduction to as little as 10 days by the end of 2027.

Given that Google and Apple together dominate the browser market and both assert that neither Certificate Revocation Lists (CRL) nor the Online Certificate Status Protocol (OCSP) function effectively, it is highly likely that the validity period for TLS certificates will be drastically shortened.

This development prompts institutions to consider:

Do we have an automation strategy for all TLS certificates across our entire organisation?

The answer will often involve using ACME, which simplifies the acquisition of certificates for individual public web servers. Obtaining wildcard certificates or certificates for internal servers, however, requires DNS validation, which is more complex. To simplify and secure this process, DeiC offers a free ACME-DNS service available to institutions connected to the Research Network (Forskningsnettet).

Certificates via GÉANT

Through GÉANT and its Trusted Certificate Service (TCS), DeiC provides certificates to the research and education sector, issued by a commercial provider. GÉANT has partnered with HARICA as the Certificate Authority (CA). HARICA delivers certificates via their self-service portal, offering the following types of certificates:

  • Domain-Validated (DV) and Organisation-Validated (OV) server certificates
  • Code-signing certificates
  • Email certificates
  • Personal certificates

Note: The agreement does not cover Extended Validation (EV) certificates, which can, however, be ordered directly from HARICA outside of the GÉANT/TCS framework.

Rules for TCS Certificates

  1. Certificates may only be used by research and educational institutions, not for commercial purposes.
  2. The institution must sign a Trusted Certificate Service (TCS) Subscriber Agreement, reflecting the terms set by HARICA.
  3. The institution must appoint one or more responsible individuals authorised to order certificates on its behalf.
  4. DeiC will verify the institution and grant rights to designated administrators/users, who can then independently order server certificates.

Certificates via Let's Encrypt

Let's Encrypt is a free and open Certificate Authority (CA) operated by the non-profit Internet Security Research Group (ISRG). Its certificates are trusted by all major browsers and have gained widespread popularity. Numerous tools now exist to simplify the automation of standard server certificate issuance and renewal for individual public web servers.

For institutions using or wishing to use Let's Encrypt's free certificates, DeiC offers consultancy services to assist with setup and automation of renewals.

Certificates via DeiC’s ACME-DNS Service

DeiC offers a service to streamline and secure the DNS-01 Challenge using the Automatic Certificate Management Environment (ACME) protocol. The service can be used with any CA that supports ACME, such as Let's Encrypt. It is particularly intended for institutions looking to automate certificate issuance and renewal across their organisation, including wildcard certificates and certificates for internal networks.

Pricing

GÉANT TCS Certificates

HARICA became the provider as of 1 January 2025. Pricing is currently under negotiation, but costs are expected to remain comparable to previous rates.

Current prices:

  • OV Single Certificate: DKK 410
  • OV Wildcard Certificate: DKK 500
  • OV Multi-Domain Certificate: DKK 1,060
  • Code-Signing Certificate:
    • 1 year: DKK 420
    • 2 years: DKK 520
    • 3 years: DKK 620
  • Personal Certificate: Free for the first 10, then DKK 100 per certificate.

DeiC’s ACME-DNS Service

The ACME-DNS service, using DNS-01 Challenge validation, is free for all institutions on the Research Network.

Institutions may choose any CA that supports the ACME protocol for DNS validation. When using a free CA, such as Let's Encrypt, the certificates are also free.

DeiC offers consultancy services for implementation at a rate of DKK 950 per hour.

How to Obtain a Certificate via DeiC

Certificates via HARICA

Log in to the HARICA Certificate Manager self-service portal through your institution by selecting Academic Login. Locate your institution and log in via WAYF.

CERT Manager Login
Foto: DeiC
CERT Manager Search
Foto: DeiC

The HARICA Cert Manager onboarding process is outlined here.

CERT Manager Onboarding Process
Foto: DeiC

You can download PDFs outlining workflows for the various roles in the onboarding process here:

Guides and support from HARICA are available here, while API documentation is accessible here.

If you wish to test the service without incurring costs, you can use the HARICA Staging Service.

Certificates via ACME and DeiC’s ACME-DNS Service

Technical documentation is available on Codeberg.

DeiC provides support and assistance with initial setup.

Note: While HARICA supports the ACME protocol, DeiC currently recommends using one of the major free services, such as Let’s Encrypt.

Contact Information

For questions or assistance, contact scs-ra@deic.dk.

Revised
19 Feb 2025

Related news and events

Kvantecomputer hvid baggrund
Foto: Colourbox
19 Feb 2024
DeiC participates in a European project on quantum communication
Broad Danish involvement collaborates to establish a quantum network between Lyngby, Copenhagen, and Odense over the next 2.5 years.
view
LUMI Søvnforskning
Foto: Kaare Mikkelsen
09 Jun 2023
Big Sleep Data: LUMI Supercomputer Trains Neural Networks for Sleep Research
Two graduate students at Aarhus University in Denmark have contributed to international research by developing tools for training neural networks on LUMI.
view
Amberscript webinar
DeiC will host a webinar on the new text-to-speech service called Amberscript.
view
Wayf
Grafik: DeiC
12 Apr 2021
The University of Reykjavík is now part of WAYF
With the University of Reykjavík, WAYF has now admitted its second Icelandic member. This continues the trend of recent years with growing adherence to WAYF among research and educational institutions throughout the North Atlantic area.
view
Videoundervisning
Grafik: Colourbox.
29 Mar 2021
Is digital education and homeworking here to stay?
In March 2020, many were thrown into online meetings and teaching from one day to the other. But what has it really taught us, and how can we use it when Corona is no longer dominating? Helle Rootzen, who is an expert in learning and digitalisation, gives her opinion on this.
view
Cloud
Grafik: DeiC
15 Mar 2021
Infrastructure-as-a-Service vendors have now been appointed
The tender process at GÉANT for the so-called Open Clouds for Research and Education contracts has now been completed. Hundreds of contracts have been concluded in many European countries.
view