Skip to end of metadata
Go to start of metadata
Certificates are a base of secure communication in between clients and many services. HIIT uses SSL certificates in e.g. web based services and in HIIT-VPN service that's implemented using OpenVPN. Information about how to acquire and maintain and revoke certificates used at HIIT can be found below.

Certificates based on SHA-1 hash algorithm are considered breakable since 2004. Increase of computing power has brought the breaking of SHA-1 so likely that transition to better security hash algorithm, SHA-2, has started. As of fall 2014 Google and other major players have started the migration to certificates using SHA-2 hash algorithm. Due to this HIIT IT services will replace all certificates using SHA-1 with ones using SHA-2.

All major browsers should have needed root certificates using SHA-2 as a hash function in signature algorithm installed by default, so no user interaction is needed there. There may be a need, however, to install new root-CAs to other services. Thus all root-CAs used in HIIT services can be found from this page.

More information about SHA-1 to SHA-2 transformation can be found e.g. the following pages:

From this page you can find information about the following certificate related topics:

Root certificates

Services in use in HIIT typically use certificates signed by the following certificate authorities. Almost all services are signed by TERENA. Unfortunately root certificates of these authorities are not always present in devices in use, instead, we need to install those root certificates ourselves.


From the TERENA's TCS Repository chapter "Server Certificate CA" install the following three (3) certificates:

  • AddTrust External CA Root
  • UTN-USERFirst-Hardware

Some HIIT services also use eScience certificates so installing

  • TERENA eScience SSL CA

is not a bad idea.

(info) Please note, that there are both SHA-1 and SHA-2 versions available.


All aforementioned certificates can also be installed by installing TERENA bundle.


  • pem (sha256sum: 12e13dd380c875eaa2b1657f97ba1bec0f0b515b812a1dc32208f3983dd81a2f)


  • pem (sha256sum: c9726d866b9fd489a586390929f5b8b229fddfbe73b2818cc189b788ccd0723e)

University of Helsinki (HYAD-CA)


HYAD-CA, and more specifically SHA-2 version of HYAD-CA roots, is used in very few services, primarily on eduroam.


  • ROOT crt pem
    Serial number: 47 0C B0 23 BF 65 A9 92 49 A7 CC B1 B5 EB 4E 7C
    Thumbprint: 7C 98 EA 65 89 47 72 48 59 9F 9E C2 EF B6 7D A4 68 88 D1 45
  • ISSUING crt pem
    Serial number: 61 1D CB 71 00 01 00 00 00 06
    Thumbprint: 3E 32 38 61 E5 E0 8A 9F B3 B9 71 2A A3 24 03 1F B6 F9 76 EE


  • ROOT crt pem
    Serial number: 18 94 9a 52 a5 56 e1 a2 45 03 1c ef 7c 1e 08 3d
    Thumbprint: bd 48 a3 4c 2b 12 3f f8 bc 2e 5b f0 a9 d6 14 59 73 e4 4d 7e
  • ISSUING crt pem
    Serial number: 61 1e f4 8f 00 00 00 00 00 03
    Thumbprint: 2f bd f3 b1 88 2a 72 b3 ce 6e a8 66 6d 27 9d 29 4c e0 36 27

All aforementioned certificates can also be installed by installing HYAD bundle.


  • pem (sha256sum: bc8b0240125afad8733a826cab5f8cb4708c4e0d9ed8343151762fe5c33bd65e)
  • crt (sha256sum: f1699c28442ddc794577d8c9838166a57413c9d96100659df292180b90aeeef0)


  • pem (sha256sum: f1699c28442ddc794577d8c9838166a57413c9d96100659df292180b90aeeef0)
  • crt (sha256sum: 28b7136e8d96475e1135bcf53e9afed9c10cc3d39026b0ae75177deb7a1b6ae9)

University of Helsinki, Department of Computer Science

(Used in some of the Department of Computer Science's services.)


HIIT IT services has it's own root certificate to be used in some configurations.

  • HIIT ITCA crt pem
    Serial number: AD:FF:21:26:7F:63:D0:BE
    Thumbprint: EC:8B:4A:D2:AA:FC:2C:19:74:53:6F:26:A6:F9:A2:06:DD:73:7A:D3

Other pages related to certificates