Certificates
Via DeiC, institutions can purchase server certificates and personal certificates from an external supplier.
Through DeiC, institutions can purchase server certificates and personal certificates from an external vendor. DeiC also offers help with installing and renewing certificates from both commercial vendors and Let's Encrypt.
Institutions can purchase server certificates and personal certificates from an external supplier via DeiC. DeiC also offers assistance with installing and renewing certificates from both commercial vendors and Let's Encrypt.
Which certificates does DeiC facilitate and why?
Certificate lifetimes and Domain Control Validation will be severely reduced until 2029. This was unanimously agreed in ballot SC-081v3 April 2025 by the Certification Authority Browser Forum and will apply to all PKI TLS certificates.
- Maximum certificate lifetime will be 47 days and only 10 days DCV reuse from 15/3 2029
This means institutions should ask the question now: "Do we have an automation strategy for all PKI TLS certificates throughout our organization?"
The answer will often involve ACME - which makes it easy to request TLS certificates.
Requesting star certificates or certificates for internal servers requires DNS validation via the ACME protocol. This is more complex. To make it easier and more secure, DeiC has developed an ACME DNS service, which is made available free of charge to institutions on the Research Network.
Certificates via GÉANT
Through GÉANT / Trusted Certificate Service (TCS), DeiC offers certificates for the research and education sector, issued by a commercial provider. GÉANT has signed an agreement with HARICA, as Certificate Authority (CA). HARICA provides certificates via their self-service portal. Here you can order certificates of the following types:
- Domain Validated (DV) and Organization Validated (OV) server certificates
- Code signing certificates
- Email certificates
- Personal certificates
The agreement does not cover Extended Validation (EV) certificates. However, these can be ordered directly from HARICA outside of GÉANT/TCS.
Rules for TCS certificates
- The certificates may only be used by research and educational institutions and not for commercial purposes.
- The institution must sign a Trusted Certificate Service (TCS) Subscriber Agreement that reflects the conditions set by HARICA.
- The institution must appoint one or more responsible persons who can order certificates on behalf of the institution.
- DeiC verifies the institution and assigns rights to administrators/users who can then directly order server certificates themselves.
Certificates via Let's Encrypt
Let's Encrypt is a free, open CA run by the non-profit organization Internet Security Research Group (ISRG). The service's certificates are accepted by every browser on the market; it has quickly become very popular and a number of useful tools have emerged that make it easy to automate the request and renewal of standard server certificates for individual public web servers.
For those institutions that use, or want to use, free certificates from Let's Encrypt, DeiC offers consulting help to get started and with automating renewals.
Certificates via DeiC's ACME-DNS service
DeiC provides a proprietary service that makes it easy and secure to create DNS 01 Challenge via the Automatic Certificate Management Environment (ACME) protocol. The service can use any CA that supports ACME, such as Let's Encrypt, and is intended for institutions that want to automate certificate issuance and renewals for their entire organization, including star certificates and certificates for internal networks.
Pricing
GÉANT TCS certificates
HARICA has become a supplier as of January 1, 2025. Due to the fact that the expiration time of certificates has been reduced from 365 to 200 days, the prices per certificate have been reduced as of April 1st, so that they correspond to the new expiration times.
The following is a list of previous and new applicable unit prices:
- DV Single Certificate DKK 350 --> DKK 190
- OV Single Certificate: DKK 410 --> DKK 220
- OV Star Certificate: DKK 500 --> DKK 270
- OV Multidomain Certificate: DKK 1,060 --> DKK 575
- EV Single Certificate: DKK 720 --> DKK 388
- EV Multidomain Certificate: DKK 1,300 --> 556
- Code Signing Certificate 620
- Personal Certificate: Free under 10 pcs., otherwise DKK 100 per certificate
- Client eScience (IGTF) Certificate: Still free
DeiC's ACME-DNS service
The ACME-DNS service with DNS-01 challenge validation is free to use for everyone on the Research Network.
You can freely choose a CA that supports the ACME protocol and the ACME-DNS service for DNS validation. If you use a free CA, such as Let's Encrypt, the certificates are also free.
DeiC offers consulting help with implementation of the solution for DKK 950 per hour.
How do I get a certificate through DeiC?
Certificates via HARICA
Log in to the self-service portal HARICA Cert Manager via your institution by selecting `Academic Login`. Locate your institution and log in with WAYF.
You can download PDFs describing the workflow for the different roles in the onboarding process here:
HARICA support and guides are here on their website, while documentation of their API can be found here.
GÉANT maintains a FAQ, which describes how the ACME protocol can be supported with HARICA.
If you would like to test the service without having to pay, you can use: HARICA staging service.
Certificates via ACME and DeiC's ACME-DNS service
Technical documentation can be found at Codeberg.
DeiC offers support and help getting started.
Get help
Write to scs-ra@deic.dk if you have questions or need help.
Please write to scs-ra@deic.dk if you have any questions or need help.