TLS Server Certificate

This is the Luca Server’s TLS server certificate that is issued by D-Trust for the *.luca-app.de domain.

Health Department Certificate

A certificate that identifies a Health Department. It is used both for mTLS-based authentication to the Health Department Frontend and signing of the health department’s HDSKP and HDEKP certificates.

This certificate is created and maintained by an external, trusted Certificate Authority.


The “Health Department Encryption Keypair” is used to encrypt messages to a specific Health Department (e.g. the daily keypair’s private key). Each Health Department has their own HDEKP.

The public key of this keypair is signed using the respective Health Department Certificate and stored on the Luca Server. The private key is kept locally at the Health Department.


The “Health Department Signing Keypair” is used to authenticate messages issues by a specific Health Department. For instance, the daily keypair is signed using the issuing Health Department’s HDSKP.

Each Health Department has their own HDSKP which is signed using the respective Health Department Certificate.

daily keypair

The keypair whose public key is used by the Guest App to encrypt the secret part of the Check-In data. Its private key is used by a Health Department during the process of Contact Tracing.

The keypair’s public key is signed using the HDSKP and stored on the Luca Server. Its private key is encrypted for each registered Health Department’s HDEKP. The encrypted private keys are stored on the Luca Server.

The daily keypair’s life cycle and usage is detailed in the chapter Daily Keypair Rotation.

badge keypair

The keypair that encrypts contact data references for static Badges. It is technically equivalent to the daily keypair but is used exclusively by a Trusted 3rd Party during the generation of static Badges.

Its private key is owned by the Health Department and is used to decrypt Check-Ins created using a static Badge. The badge keypair can be issued by any Health Department and is signed by the respective Health Department’s HDSKP.