Skip to main content

Certification Service

Contatti :  Certification Service

Support and Contacts

  +06 4962 2000
+39 050 221 3158
  This email address is being protected from spambots. You need JavaScript enabled to view it.

GARR CS (Certification Service)

The Certification Service provides digital certificates free of charge to its community. These certificates, available in both personal and server versions, are issued by SECTIGO, a leading commercial Certification Authority that is automatically recognized by nearly all web browsers.

This service is available at no cost to all organizations connected to the GARR network.

Certification Service
Tipologie di certificati

GARR participates in the Trusted Certificate Service (TCS) promoted by Géant for the benefit of European research networks


GARR participates in the Trusted Certificate Service (TCS)M promoted by Géant for the benefit of European research networks.

Through this service, GARR provides its community with digital x.509 certificates (also available in e-Science version, valid for authentication on GRID resources) issued by one of the major commercial Certification Authorities: Sectigo Limited, automatically recognized by nearly all existing web browsers.

  • SSL certificates: for server authentication and securing sessions with clients;

  • GRID certificates: for server and Grid service authentication (IGTF compliant);
  • Personal certificates and personal GRID certificates: for user authentication and securing email communications;
  • Code signing certificates: for authenticating software distributed over the internet;
  • Document signing certificates: for authenticating documents created with Adobe PDF, Microsoft Office, OpenOffice, and LibreOffice.
to top

Server TCS certificates



Starting from May 1, 2020, the new provider of the TCS service will be the Certification Authority Sectigo Limited. All certificates already issued by Digicert will remain valid and will retain their validity until the expiration date specified in the certificate itself.

Guide for TCS Administrators

For certificate signing requests (CSR) generation, please refer to the guidelines provided by Sectigo on the GARR CS wiki.


For submitting requests, refer to the instructions provided by your Organization's Administrators.

Organization's Administrators

Alternative names

You can request certificates with multiple names.

You can include alternative names directly within the CSR, or more simply, add them during the request form completion starting from a CSR with only one name:

Wild Card

You can request certificates containing a wildcard (*) in both the CN (Common Name) field and within the alternative names, with the following restrictions:

1.A wildcard (*) can replace a subdomain but not part of it

  •     *     CORRECT
  •     xyz*     WRONG!

2. You cannot request alternative names if the CN field contains a wildcard

  •      WARNING: Wildcard certificates like * cannot be used to authenticate domain names of the form
  •      For security reasons, the use of this type of certificates should be as limited as possible. In any case, their issuance must be discussed in advance with the service.


to top
Certificati personali

Personal TCS Certificates


Users can request and renew personal and personal grid certificates by accessing the dedicated Sectigo website for GARR. You will need to authenticate using your organization's IDEM credentials.

From the request form, you can select the following types of certificates:

  • GÉANT Personal email signing and encryption
    Personal certificates issued by a public CA for email signing and encryption purposes. Not suitable for document signing and client authentication.
  • GÉANT Personal Authentication
    Personal certificates issued by a private CA for use in grid/IGTF environments and for client authentication. Not suitable for email signing and encryption, or for document signing.
  • GÉANT Personal Automated Authentication Personal robot certificates issued by a private CA for use in software agents authenticating on behalf of the user (grid/IGTF environment). Not suitable for email signing and encryption, or for document signing.

Log in with IDEM to Sectigo

Entities affiliated with the IDEM Federation can activate the service for their users by following the configuration instructions:

Configuration guideline

Follow the tutorials for requesting personal certificates on Sectigo


Personal TCS certificates can only be issued to members of organizations affiliated with IDEM and enabled for the service

OpensslIt is software available for Linux, macOS, and Windows systems.



to top

For more information about the services or to request activation