Versions Compared

Old Version 127

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 128

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Remove doubled quotes

...

  • Go to https://sectigo.com/support-ticket
  • Use type "Validation Support" and reason "Certificate Validation" for issues related to certificates (delays, problems with the contents, etc).

    • Use case type "Technical Support" and case reason "Sectigo Certficate Manager (SCM)" for issues with SCM not related to certificates per se

  • Include the certificate order number in the specific field for that.

    • If the ticket is about more than one certificate, include one order number (the most important one?) in that field, and include all of the order numbers in the description. 
  • In the description, include a line at the top saying "We are a SUNET member of the GEANT TCS service, using the https://cert-manager.com/customer/sunet SCM instance."
  • Describe the problem, for example "“The The following certificates are stuck in Applied instead of being issued. Please issue them or tell us what we need to do."

...

  • Go to Organizations and click on the organization line to check it, then use the Add Departments button in the card shown for the Organization.
  • Fill in the desired department name in the Department Name field. The rest of the name components will be as for your organization. Do not fill in the Secondary Organization Name or Academic code.
  • On the second page, select Client Certificates and disable "Allow Key Recovery by Master Administrators"" and  and "Allow Key Recovery by Department Administrators", respectively). It will already be disabled for Organization Administrators as that was part of the organization setup done by SUNET.
  • Do not fret over other options on the various tabs, as they can be changed later. Do not enable or change things you do not understand. Finish using the Save button.

...

  • Go to https://cert-manager.com/customer/sunet/idp/clientgeant, select your organization's IdP and login there.
  • Select the right certificate profile:
    • Use "GÉANT Personal email signing and encryption"  for normal client certificate for email signing etc outside of the grid/IGTF world (this used to be " "GÉANT Personal Certificate")
    • Use "GÉANT Personal Authentication" for a grid/IGTF personal (client) certificate for normal use (this used to be "GÉANT IGTF-MICS Personal")
    • Use "GÉANT Personal Automated Authentication" for a grid/IGTD robot personal certificate (seldom used, this used to be "GÉANT IGTF-MICS-Robot Personal")
  • Select the number of days the certificate should be valid.
  • Select if you want the key generated on the server side or locally. While the former is more convenient, there may be policy reasons or technical reasons for not using that:
    • Use "Key Generation" as Enrollment Method if you want a certificate with the key generated on the server side.
    • Use "CSR" as Enrollment Method if you do not want the key generated on the server side. You will have to provide the CSR file via file upload or by pasting it into the text box.
  • If you choose to provide the CSR, you must first have created your key and CSR locally, using whatever software you use for that. With OpenSSL, that could be:

    openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem
  • If you choose to generate the certificate on the server side, you must provide:
    • The requested type and key size. Choose RSA-2048 if do not need a longer key and have tested that it works. Contact SUNET TCS if you need elliptic curve client certificates or RSA-8192).
    • The password used to encrypt the PKCS#12 file that will be generated.
    • 2023-06-12: It seems the default key protection algorithm "Secure AES256-SHA256" does not work on MacOS for importing into the Keychain, while it does work for direct import in Firefox). Select the non-default key protection algorithm "Compatible TripleDES-SHA1" instead.
  • Click "Submit" and accept the click-through license.
  • After a short while, you will get to dowload your certificate. The format depends on your choice above:
    • With "Key Generation", you will get a PKCS#12 file called certs.p12 containing key and certificate. You can import that in your browser using "Import Certificate" or similar.
    • With "CSR", you will get a PEM-formatted certs.pem containing just the certificate. If you need it in your web browser, you need to create a PKCS#12 file yourself. With OpenSSL as above, that could be:

      openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

...