Avendoo® online documentation

IDD Gut-Beraten interface

Renew annually the X.509 certificate for interface


This process is only relevant for customers who record IDD times for trainings and transfer them via interface to Gut-Beraten.

The Gut-Beraten interface allows the automatic transfer for IDD times. A X.509 certificate is part of the configuration of the Gut-Beraten interface. This certificate enables the signing for secure data transfer to the Gut-Beraten server.

This X.509 certificate is one year valid and then has to be substituted by a new certificate. If this certificate will be not substituted the data will not be accepted by the Gut-Beraten interface. The substitution is always 30 days before expiring possible.

This substitution process has be done by a person of the customer. This person has to be listed in the Gut-Beraten license for the interface. This person also receives personal one-way passwords (partly by a letter) to process the download. This person needs an author account for the Avendoo® system. And that author has to have the rights Certificate administrator, Read system settings and Edit system settings.


Note that the author can enter the one-way password many times, but not again as the X.509 certificate has been activated.


You need

  • the corresponding Gut-Beraten license for the interface,
  • the setting and the configuration of the interface and
  • the IDD ID saved in the user accounts of the employees

for the automatic transfer of the IDD times.

Click on link in the e-mail

You receive an e-mail with the subject line “[TGIC] – activation/change of the X.509 authentification of the TGIC user account XXXXXXXX” depending on your request for the IDD Gut-Beraten interface or automatic as renewal of the X.509 certificate.


TGIC means: Trusted German Insurance Cloud. This is the provider of the X.509 certificate for using API.

In this e-mail you find a link for downloading the new certificate for the authentification via X.509.
That link leads to https://pki.tgic.de/TGIC-PKI/….
and is for each Gut-Beraten customer who uses API an own special link.

Start PKCS#12 certificate download

Click directly in the upper field on For downloading your user certificate please click here: on Download.

Enter serial number

Enter the serial number of the certificate which you receive in the e-mail and the one-way password, received in a separate e-mail or as letter.

Serial number: 8507
PW: z64z-r2R#v8c


That password is only for the download and not for the certificate.

Download PKCS#12 certificate

Do a download of the certificate via Download PKCS#12.


Do not activate the PKCS#12 certificate yet.

Let the browser dialog window opened. This simplifies later on the activation at the end of the process.

Upload PKCS#12 certificate and convert it into base64

  1. Click as author in the Avendoo® system in the menu Administration on the menu entry PKCS#12 certificates.

    If the menu entry PKCS#12 certificates is not shown the author has no the administration right Certificate administrator.

  2. Then click on the button New PKCS#12 certificate. The wizard PKCS#12 certificate opens.
  3. Now enter a title like “Gut Beraten 20XX” for example (see first screenshot) and change to the tab Configuration.
  4. Click on the tab Configuration (see second screenshot) on the button Upload certificate and upload the downloaded PKCS#12 file. This file will be then converted into base64.
    Under Keyname you enter the number of the TGIC user account. You find this number as “TGIC user account: XXXXXXX” in the e-Mail from TGIC (see also step 1.1).
    Enter the new certificate password from the e-mail with the download link for the PKCS#12 certificate under Password.
    If you’ve done both correctly you see now under Validity the start and end date for one-year validity.

    – If the validity is not shown do corrections regarding keyname, password and/or PKCS#12 file).
    – If the date of Valid to is not one year in future you have used a wrong or an old file.

  5. Click on the button Save.
  6. Change to the tab Configuration in thePKCS#12 certificate wizard.
  7. Copy the text out of the field PKCS#12 certificate.

Copy base64 coded PKCS#12 certificate into the system setting insuranceDistributionDirective

  1. Choose in the menu Adminstration the menu item System settings in the Avendoo® system.
  2. Enter “insurance” in the left search field and click on the button Apply.
    Then you see on the right side the system setting “insuranceDistributionDirective” as listed.
  3. To open this system setting click on the title.
    The wizard for system settings opens.
  4. You have to insert the base64 coded certificate in the corresponding IDD Gut-Beraten profile configuration (Attention: There can be several profile configurations) with the matching tgicUser entry (1.tgicUser=8777776519). You find the matching value for the tgicUser, with whom you define the matching IDD Gut-Beraten profile, behind the text “TGIC user account: XXXXXXX” in the e-mail from TGIC (see also step 1.1).
  5. If you’ve found the right profile you paste the base64 coded text from the text field of the tab Configuration in the PKCS#12 certificate wizard behind “1.p12Temp=”. By this “1.” can vary with the number of the IDD Gut-Beraten profiles ( 4.etc. for example).

Find the entry “X.p12Temp=” and delete all behind the equal sign. Then copy the new certificate text from the upper text field.

Enter the new password for the PKCS#12 certificate

Enter the new password of the certificate: s5zz1Q9q5#y? from the e-mail with the download link to the PKCS#12 certificate in the same profile “x.keyPassword=#44of79.fhUh”.

Then save the data.

Activate PKCS#12 certificate

  1. If you’ve just opened the tab TIC-PKI (see step 1.3) where you’ve downloaded the certificate (PKCS#12 file), you can click there on Activate certificate.
  2. If you’ve closed the browser tab, just repeat step 1.1 and 1.2. You can use the one-way password as often as the certificate has been activated.
  3. Finally, the message Your X.509 certificate has been successfully activated is shown. Now the certificate is valid.
    If the old certificate has already been expired because the renewal of the X.509 certificate was too late, this new certificate is valid by now. If you want to be sure just activate the certificate.