20.10.2016: Important changes for certificates using the SHA1 hashing algorithm

As of January 01, 2017, most operating systems and webbrowsers will display warnings alerting users that their connection is not secure. There are many different styles, like „no lock icon“, „an opened lock icon“ or „a lock icon in red“, also warning pages are possible. You can find more information on the Internet using the search terms „SHA1, SHA-1 or SHA1 deprecation“. For example, Microsoft announced their Windows Enforcement of SHA1 Certificates“.

If you are still using certificates with SHA1 hashing algorithm, there might be restrictions from this time!

Therefore, we still offer the option - within the validity of the SHA-1 certificate - to migrate the affected certificate into a SHA-256 certificate, via myServerPass customer portal using <Re-Issue>. For a description, please have a look in the FAQ. How can I migrate an existing SHA-1 certificate into a SHA-256 certificate using Re-Issue?


19.10.2015: Support for TLS/SSL certificates with SHA1 hash functions (secure hash algorithm) will end on December 15, 2015

The T-Systems Trust Center will cease to support the SHA1 hash function on December 15, 2015. As the SHA1 hash function has security flaws, TLS/SSL certificates will no longer be issued with SHA1 as of this date, even on request.

T-Systems thus meets the requirements of the current CA/Browser Forum Baseline Requirement BR-1.3.0..

T-Systems has updated all ServerPass certification authorities for some time now and provides the SHA2 hash function for all new ServerPass products. Existing SHA1 certificates can be upgraded free of charge in the customer portal via <Re-Issue>.

All older SHA1 certificates with a validity period beyond December 31, 2016 will be blocked at the latest on December 1, 2016.


ServerPass will start issuing extended validation certificates on October 22th

On October 22th ServerPass will start issuing ev-ssl-certificates (ev = extended validation). Browsers will indicate websites which are secured by ev-ssl-certificates with the EV green address bar.

Extended validation ssl certificates are X.509 ssl certificates issued according to a specific set of identity verification criteria. These criteria for issuing EV certificates are defined by the Guidelines for Extended Validation produced by the CA/Browser Forum. They require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued.

Extended validation ssl certificates are issued by the German root certificate ‘TeleSec ServerPass Extended Validation Class 3 CA’. This root certificate is included within actual browsers and operating systems.


WebTrust Seal

T-Systems Trust Center fulfills the extensive AICPA / CICA WebTrust criteria for CA (Certification Authorities) and Extended Validation (EV) in 2014 and is allowed to use the coveted WebTrust seal.

An independent auditing company confirmed in uninterrupted succession the required quality certifications since 2008.

read more


No issuance of certificates with internal IP addresses or local hostname with a validity after 2015/10/31

Current information for TeleSec ServerPass

The CAs used for "ServerPass" meet the "Baseline Requirements for the Issuance and Management" of the CA / Browser Forum, see:


Accordance with the requirements "CA / Browser Forum Approves Baseline Requirements for SSL / TLS Certificates" from 2012/07/01, orders for SSL certificates which contain the internal IP addresses or local hostnames will be issued with a maximum validity until 2015/10/01. Therefore, henceforth such SSL certificates are no longer issued with a validity of 3 years.

Certificates of this type that were issued prior to 2012/07/01 will be blocked at the latest on 2016/01/10, if the certificate has not expired on that date.


New root CA and CA certificate on December 16, 2010

Current information for TeleSec ServerPass
AFrom December 16, 2010, the certification hierarchy for TeleSec ServerPass will be updated. All certification authorities in the trust chain consistently offer the high quality level of 2048-bit RSARSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem., and thereby also future-proofing and planning security. With the changeover of the certification hierarchy, all certificates will only be issued by the TeleSec ServerPass CA 1 certification authority. At the top of the certification hierarchy is the internationally established Baltimore CyberTrust Root. This new trust anchor (root certificate) for TeleSec ServerPass offers you maximum market penetration and outstanding coverage of current applications.

Your benefits at a glance

  • Root selection is no longer required when ordering
  • Longer certificate terms reduce the effort of managing your server applications
  • Reduced costs by using certificates with a term of 2 or 3 years
  • Future-proofing through the use of modern security procedures
  • Planning security through long certificate terms

Other new features
With the new certification hierarchy, you can now order certificates with a term of 1, 2 or 3 years. Furthermore, we offer the new TeleSec ServerPass SAN/UCC for Microsoft Exchange & Office Communication Server 2007.

Important note
Please bear in mind that when installing ServerPass, the intermediate certificate is also installed. This avoids incompatibilities and irritating notices arising.