Certificate chain
To use your certificate in your web server, you need the certificate chain. Depending on the age of your certificate, you will need either the Generation 1 chain (certificate issued up to and including 2016) or the Generation 2 chain (certificate issued from 2017).
Generation 1 (until 2016)
- Root certificate of T-Systems
(SHA-1 fingerprint: 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF) - Certificate of the German Research Netzwork
(SHA-1 fingerprint: F4:C5:38:C3:BB:99:4F:13:F8:FD:C2:40:B6:79:A6:4B:19:34:A1:B5) - Certificate of the University of Bremen
(SHA-1 fingerprint: D0:A9:97:44:F3:07:68:38:86:80:AD:7F:2E:71:E9:EA:DA:FF:EC:FD)
Alternatively, you can download the complete certificate chain in PEM format. This contains the three certificates listed above in summarized form.
Generation 2 (from 2017 onwards)
- T-TeleSec GlobalRoot Class 2
(SHA-1 fingerprint: 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9) - DFN-Verein Certification Authority 2
(SHA-1 fingerprint: E2:24:BE:F6:D7:86:22:0D:26:2B:B8:07:AB:6D:AC:F9:D3:A8:9A:93) - DFN-Verein Global Issuing CA
(SHA-1 fingerprint: C9:DC:B0:47:AC:8C:5F:09:05:ED:77:52:8C:BD:4B:84:D9:46:3C:45)
Alternatively, you can download the complete certificate chain in PEM format. This contains the three certificates listed above in summarized form.
Sectigo TCS (from 2023 onwards)
The situation for certificates issued by Sectigo TCS is more complicated and the required chain depends on the kind of certificate issued. For an overview see the page of DFN-CERT about TCS certificates (german only).