Services provided by the CESNET PKI are described in certificate policies and Certificate Practice Statement available in the chapter Certificate Policies and Certificate Practice Statement.

CESNET CA is not accredited as a provider of certification services in the sense of Act No. 227/2000 Sb. Certificates issued by CESNET CA cannot be used to secure communication with the state administration. They are designed for use in national and international research projects and for applications operated by members of CESNET, a.l.e.

CESNET PKI provides the following services:

• Personal TCS certificates
• Server TCS certificates
• Personal CESNET CA 4 Certificates
• Server CESNET CA 4 Certificates
• Establishing of Registration Authorities
• Certification of other Certificate Authorities

CESNET CA mediates issuance of server certificates TCS. These certificates are currently issued by Sectigo, whose root certificates are implicitly trusted by most internet browsers.

The detailed procedure for creating a certificate application, registration and issuance of a certificate is described in the TCS Personal Certificates manual.

CESNET CA mediates issuance of server certificates TCS. These certificates are currently issued by Sectigo, whose root certificates are implicitly trusted by most internet browsers.

The detailed procedure for creating a certificate application, registration and issuance of a certificate is described in the TCS Server Certificates manual.

Personal certificate issued by the CESNET PKI can be used for authentication, digital signature, and data encryption. Personal CESNET CA 4 certificates are issued with a validity of 13 months. The signature algorithm is RSA, the key length is 2048 or 4096 bits.

Personal CESNET CA 4 certificates can be issued to

• persons participating in CESNET's research activities,
• administrators of hosts and services operated by members of CESNET, a. l. e. and by insitutions participating in CESNET's research activities, and
• CESNET employees.

Server certificates can be used for authenticating network hosts and services. Personal CESNET CA 4 certificates are issued with a validity of 13 months. The signature algorithm is RSA, the key length is 2048 or 4096 bits.

Server certificates are issued for hosts and services operated by

• institutions participating in CESNET's research activities,
• members of CESNET, a. l. e.,
• CESNET itself.

CESNET CA operates a Registration Authority on its own.

Any member of CESNET, a. l. e. can ask for certification of its own Registration Authority. a signed contract between CESNET, a. l. e. and the RA operator is required.

Operation of CESNET CA RAs is governed by rules described in the appropriate certificate policy issued by the CESNET CA.

CESNET CA supports establishing of CAs operated by members of CESNET, a. l. e. and offers their certification. The CA must comply with a certificate policy of CESNET CA. A legal contract between CESNET, a. l. e. and the institution operating the CA is required.