New Root and new Issuing CA for TLS

Due to requirements from root stores (browsers, operating systems, etc.), the issuance of TLS certificates is being transitioned to our new PKI hierarchy, the Telekom Security TLS RSA Root 2023 (https://telesec.de/assets/downloads/PKI-Repository/Telekom_Security_TLS_RSA_Root_2023.cer). Please note the following:

· The change is planned to be implemented on May 18, 2026.

· TLS certificates will no longer be issued under the TeleSec Business TLS-CA 2022 after that date. The new issuing sub-CA will be the Telekom Security OV RSA CA 26B (https://telesec.de/assets/downloads/PKI-Repository/CA_Telekom_Security_OV_RSA_CA_26B.cer). We recommend that you inform your administrators about the new CA certificates, as configuration changes may be necessary.

· The new Root CA is cross-certified by the established T-TeleSec GlobalRoot Class 3, ensuring that the chain of trust can also be verified by older systems.

· As part of the transition, the Extended Key Usage (EKU) will also be adapted to new requirements of the root stores: the EKU “id-kp-clientAuth” is no longer permitted and will be removed. Details:

https://googlechrome.github.io/chromerootprogram/#132-promote-use-of-dedicated-tls-server-authentication-pki-hierarchies

Your Business.ID (SBCA) team

Business.ID

OneTimePass

TCOS Smartcards

Identity & Access Management

Secure Elements & Smartcards

Smart Metering PKI

Healthcare

Group solutions from Deutsche Telekom

Root Program

Information about CA Certificates

Support

General

Contact

Downloads

Q&A

Note:

New Root and new Issuing CA for TLS

Sie verwenden einen veralteten Browser.