Versions Compared

Old Version 19

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 20

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

THIS IS WORK IN PROGRESS. PLEASE DO NOT REGISTER / SEND EMAILS BEFORE WE INFORM YOU ON SUNET-TCS-MEMBERS AND SUNET FORUM TCS.

URL

The HARICA Certificate Manager is located at https://cm.harica.gr 

Getting Help

Join the TCS network at SUNET Forum

Consider joining the TCS network at https://forum.sunet.se/s/tcs/ to get information and to be able to discuss the service with Sunet TCS and other users. Important news will also be shared, as before, using the SUNET-TCS-MEMBERS mailing list (where one function address per organization is present since your organization joined the service), but information about minor issues may be shared here, as well as tentative information before we know enough to raise it to the SUNET-TCS-MEMBERS level.

Help from SUNET TCS

Email tcs@sunet.se after making sure that this document does not contain the answer to your question or a solution to your problem. Do not email Kent's personal email address.

Help from HARICA support

2025-01-10: For the time being, contact HARICA support only on instructions from Sunet TCS. We will provide you with the email address when doing so.

GEANT / HARICA Documentation

Look at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ but keep in mind that parts of that documentation is for NREN administrators (called Enterprise Manager in HARICA CM) and not for organisation administrators (called Enterprise Admin in HARICA CA).

Differences from the Sectigo generation 2020-2024

New vendor, new web interface

The HARICA Certificate Manager of course looks different from the Sectigo Certificate Manager. We are all using the same URL for HARICA CM (not a specific Sunet URL).

The container for your organization is now called Enterprise

The containter that keeps your organization details together with the set of domains and certificates that belong to you is now called Enterprise in HARICA CM, instead of Organization (as in Sectigo CM) or Division (as earlier at DigiCert).

You who are administrators at this level are now called Enterprise Admin (approximately the same role as RAO in the Sectigo CM).s you

No Departments

There is no direct replacement for the Department level that existed below Organization in the Sectigo CM, and as such there is no role corresponding to DRAO.

2025-01-10: There may be ways to implement this in the future. Please do not attempt do recreate this using Subunits or other things you find in the interface unless instructed by Sunet TCS.

Users who are not administrators are available again

The HARICA CM allows people to create users that will be matched to you organization via domain matching on the email address. Such users start out without any privileges in the system (cannot approve certificates, cannot add domains etc) but they can request certificates. This resembles the model we had with DigiCert (for Sectigo, there were only admin users of various levels).

You cannot approve your own requests

A user cannot approve their own requests, regardless of privileges in the system. You need to have one user request a certificate and another user (with the Enterprise Approver role) approve it.

Different certificate offerings

From the start of the service your can get this before your Organization Validation is completed:

...

2025-01-10: Other certificate types such as code-signing should become available later for a per-certificate fee

Less flexible notifications

You cannot tune notifications as you could for Sectigo. From start, a single function email address per enterprise will get all notifications for new requests, expiring validations etc.

Getting access to the system

Members of the "Sectigo generation" 2020-2024 service

To get access to the new system, first:

...

When we receive and handle the requests, we will create your Enterprise (the HARICA term for the container for your organization and its domains, certificates etc) in the system and make the indicated user the first Enterprise Manager for you.

New members

Contact tcs@sunet.se about membership in the service. Do not send any paper documents before that and do not register in the HARICA CM system.

Domains

Validating domains

To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).

...

Domains that have not been validated yet have a validity date in the past (the day before the domain was added).

Adding additional domains

To be able to used additional domains you need to add them first, and then validate as above. To add, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the globe icon at the top right corner to get to the Add Domain page.

...

2025-01-10: The CSV parser requires the first line to contain the text Domain without quotes around it. If your spreadsheet program adds quotes, you may have to removed them. In other words, the expected file format is a test file with Domain on the first line and then one or more domain names on the subsequent lines.

Deleting domains

Contact tcs@sunet.se if this is needed.

Organization Validation

For you to be able to issue server certificates of the OV type, or S/MIME IV+OV, the organization validation needs to be completed. That can be done by Sunet TCS or by you.

2025-01-10: We ask you to wait with this. You can still issue server certificates DV and email-only S/MIME-certificates. If you need OV, contact tcs@sunet.se. We will provide further instructions here when we and HARICA are ready for everybody to be organization validated.

Users

Everybody who is to access the system (for certificate requests or as administrator) needs to have a user:

  • The user must have registered at https://cm.harica.gr using the Sign up option.
  • The email address must belong to a domain added to enterprise in the system.
  • 2025-01-13: The name fields do not accept characters like "åäö" or "-". Do your best without this until we get this fixed.2025-01-13: Sign up for a new account. Do not yet try the the Academic Login option to login using your SWAMID user. We will tell you when that option is working properly.

Administrators

As an Enterprise Admin you can elevate additional users to have more privileged roles than normal users (who can just request certificates).

...

2025-10-13: If the choices you make does to seem to "take" when you look at the Account info again, exit the Users pane for something else and go back and check again. The information should now be correct.

Requesting certificates

All certificate requests are done with menu options in the left-side menu of the system.

You need to have a user in the system (see above) to create certificate requests. You cannot approve your own request. Another user with the Enterprise Approver role needs to do that).

Server certificates

Use the Certificate Requests → Server alternative in the left-side-menu.

...

2025-01-13: We will add more information about download options when the correct certificate chain is in place.

S/MIME certificates

2025-01-10: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.

Approving certificates

Server certificates

You need to have the Certificate Approver role to approve a certificate request. Also, you cannot approve your own request.

...

The certificate requester will get an email about the certificate and can download it (see above).

S/MIME certificates

2025-01-13: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.

ACME

2025-01-10: ACME via HARICA is not at this moment on par with what was offered by Sectigo, but improvements are on the roadmap. We will update this section when it is in place. We recommend using Let's Encrypt for ACME as of now.

API access

2025-01-10: There are APIs available. We will update this section with links to relevant documentation when we have it.

SAML configuration

2025-01-10: This section will be added. There is some information already at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ

...