Versions Compared

Old Version 49

changes.mady.by.user Kent Engström

Saved on

compared with

New Version Current

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2025-01-13: This document is work in progress and will be updated as features are added and bugs/limitations removed, and as we gain more experience with the system.

Table of Contents

Table of Contents

...

outlinetrue

URL

The HARICA Certificate Manager is located at https://cm.harica.gr 

Getting Help

Join the TCS network at SUNET Forum

...

  • What user in the system did what?
  • What certificate request is this about (or what domain, or what user, or...)?
  • What did you expect to happen?
  • What happened instead?
  • What messages did you get?

If your question is related to a certificate or CSR, please attach it to the email you send.  Do not attach keys or other secret/sensitive files.

Help from HARICA support

2025-01-10: For the time being, contact HARICA support only on instructions from Sunet TCS. We will provide you with the email address when doing so.

...

Server certificate EV is not part of the contract.2025-01-10: Server certificates and authentication certificates for grid use will become available later

2025-01-10: Other certificate types such as code-signing should become available later for a per-certificate fee

...

  • Have the person who will become the first Enterprise Admin for your organization to go go https://cm.harica.gr and sign up to create a user. That
    • The person should
    be one who has
    • have been a RAO (not only DRAO) in the Sectigo CM
    and you
    • . Choose the most senior RAO you had that will work with the new system too.
    • Yes, person means person. We will not hand out the role as first enterprise admin to a shared/functional email address or similar.
    • You should use the same email address as before if at all possible. The email address must belong to your main domain (the one you will tell us about below).
    • 2025-01-11: The given name and surname fields do not accept characters like "åäö" or "-". Do your best without this until we get this fixed.
    • 2025-01-10: Sign up for a new account. Do not yet try the the Academic Login option to login using your SWAMID user. We will tell you when that option is working properly.
  • This user must also enable two-factor authentication (TOTP) using the profile page (available from the menu in the top right corner where your name is displayed, select Profile, then under Two-Factor Authentication (2FA).

...

  • Organization name (official, the value you will get in the O attribute of the certificate)
    • This should be the name shown when your organization number is searched for in official sources, which is mostly likely your name in Swedish, not English.
  • Locality (the value you will get in the L attribute of the certificate)
    • This should be a single locality/city that is shown when your organization number is searched for in official sources.
  • Your main domain (you will be able to add additional domains later)
  • Organization number ("organisationsnummer")
  • A function email alias suitable for receiving notifications from HARICA (such as pending requests, expiring validations etc).
    • Make sure that you are OK with receiving two emails per certificate (requested and issued) to this function email address.
    • Make sure that alias is able to receive emails from addresses outside of your organization so HARICA's emails can reach you there.
    • 2025-01-10: This is mandatory for now. Later, you will be able to choose to instead have these emails sent to all Enterprise Admins
  • Email for the first Enterprise Admin of your organization, as created above.
    • Make sure you have created a user in the system using that email and have enabled TOTP for it (see above). If not, we cannot complete your registration.
  • Tell us if you are in a hurry to get access  or not2025-01-20: Tell us if you have immediate needs for certificates, are just registering to get it done, or anywhere in between...

When we receive and handle the requests, we will create your Enterprise (the HARICA term for the container for your organization and its domains, certificates etc) in the system and make the indicated user the first Enterprise Manager for you.

...

On the other hand, if you are currently using CAA records in DNS to specify allowed Certificate Authorities for a domain, you need to make sure there is a CAA record allowing harica.gr in addition to the ones you already have.

Validating domains

To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).

You can select email or DNS methods:

  • For email, you have to choose one of five standard addresses (admin, administrator, webmaster, hostmaster or postmaster) under the domain that is to receive the challenge email.
  • For DNS, you get information in an email on how to add a TXT entry in DNS for your domain.

In the field for "Email of user that will validate the Enterprise" you enter the email of yourself or any other user registered in HARICA CM that will complete the validation. Then follow the instructions in the email you get to complete validation.

Note: before issuing a certificate, HARICA has to verify that a correct CAA record or no CAA record at all) is in place for all names up to your base domain. For example, if you include the name ad.internal.example.org in the certificate, you must correctly answer for ad.internal.example.org, internal.example.org and example.org. If a request for any of the names result in no answer at all when queried from the outside (for example due to firewalling), or an error like SERVFAIL, the certificate will not be issued.

You might want to check the name for DNS problems (including DNSSEC) at https://dnsviz.net/

Validating domains

To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).

You can select email or DNS methods:

  • For email, you have to choose one of five standard addresses (admin, administrator, webmaster, hostmaster or postmaster) under the domain that is to receive the challenge email.
  • For DNS, you get information in an email on how to add a TXT entry in DNS for your domain.

In the field for "Email of user that will validate the Enterprise" you enter the email of yourself or any other user registered in HARICA CM that will complete the validation. Then follow the instructions in the email you get to complete validation.

Domains that have not been validated yet Domains that have not been validated yet have a validity date in the past (the day before the domain was added).

...

To be able to used additional domains you need to add them first, and then validate as above. To add, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the globe icon (Image Added) at the top right almost rightmost corner to get to the Add Domain page.

...

Contact tcs@sunet.se if this is needed.

Organization Validation

For you to be able to issue server certificates of the OV type, or S/MIME IV+OV, the organization validation needs to be completed. That can be done by Sunet TCS or by you.

2025-01-10: We ask you to wait with thisWhen your Enterprise is first added to the system, its organization is not validated. You can still issue request DV server certificates DV and email-only S/MIME-certificates. If you need OV, contact tcs@sunet.se. We will provide further instructions here when we and HARICA are ready for everybody to be organization validated.

Users

Everybody who is to access the system (for certificate requests or as administrator) needs to have a user:

You need to complete Organization Validation too if any of this applies to you:

  • You need to issue IGTF (aka grid, eScience) server certificates, which are handled as a subtype of OV server certificates
  • You need to issue OV server certificates for servers where DV server certificates are not acceptable (this should be a rare situation)
  • You need to issue IV+OV S/MIME personal certificates

If any of the above conditions apply to you, contact tcs@sunet.se and ask us to initiate Organization Validation for you. Tell us which of the conditions above apply to you.

Users & Authentication

Users

Everybody who is to access the system (for certificate requests or as administrator) needs to have a user:

  • The user must have registered at https://cm.harica.gr using the Sign up option.
  • The email address must belong to
  • The user must have registered at https://cm.harica.gr using the Sign up option.
  • The email address must belong to a domain added to enterprise in the system.
  • 2025-01-13: The given name and surname fields do  do not accept characters like "åäö" or "-". Do your best without this until we get this fixed.
  • 2025-01-13: Sign up for a new account. Do not yet try the the Academic Login option to login using your SWAMID user. We will tell you when that option is working properly.

...

Administrator Roles

As an Enterprise Admin you can elevate additional users to have more privileged roles than normal users (who can just request certificates).

  • First, have the administrator-to-be create a user in the system (see above).
  • The user must then also enable two-factor authentication (TOTP) using the profile page (available from the menu in the top right corner where the name is displayed, select Profile, then under Two-Factor Authentication (2FA).

...

  • Enterprise Admin, which will give this user the same role you have (manage domains, validations, users roles etc)
  • Enterprise Approver, which will allow this user to approve certificate requests.
    • You can select SSL (server certificate) and S/MIME separately.
    • This is a separate role that is not included in Enterprise Admin. If needed, you can have both roles

...

2025-10-13: If the choices you make does to seem to "take" when you look at the Account info again right after saving, exit the Users pane for something else and go back and check again. The information should now be correct.

Requesting certificates

All certificate requests are done with menu options in the left-side menu of the system.

You need to have a user in the system (see above) to create certificate requests, but the user does not need to have any administrator/approver roles.

You cannot approve your own request. Another user with the Enterprise Approver role needs to do that. In converse, if you are the one who will approve the certificate, you need to have another user request it.

Server certificates

Use the Certificate Requests → Server alternative in the left-side-menu.

On the first page, you enter an optional friendly name for the certificate and then add one or more names to be present in the certificate. The first name added will be the CN of the certificate, and all names added will be present as SAN DNS entries in the certificate. If you do not uncheck the checkbox below the name, an additional name with www prepended will be added as SAN DNS.

The friendly name is only shown to the requester in certificate listings. It will not be seen by approvers/admins. We suggest you leave it blank, as the CN (the first "real" name entered) will be shown in that case.

2025-01-13: The "Add www checkbox" may be removed or default to disabled in the future.

2025-01-13: No names for the certificate are picked up from the CSR you upload later. You have to add them at this stage. This may be changed in the future.

2025-01-21 There is currently a limit of 20 supplied names (and we assume this means 40 in total if you also accept all the www-prepended names too). This will be increased in the future.

On the next page, select the certificate type:

  • Domain-only (DV) which is always available as soon as the domain is validation and only includes domain information. This is the same type of certificate you get from Let's Encrypt.
  • For enterprises or organizations (OV), which is available after Organization Validation. This is the same type of certificate you got from Sectigo.
  • Do not select "For enterprises or organizations (EV)" as this is not included in the contract.

If the DV or OV option is shown as "from AMOUNT€ year" instead of "free", you have probably made a typo and entered a name for the certificate that is under a domain that does not belong to your Enterprise. Start over and make sure the names are right.

Confirm the choice of type and then confirm the information and accept the terms of use etc.

On the Submit Request page, use Submit CSR manually to get a box to paste the CSR into. Accept the terms of use etc again and Submit the request.

2025-01-16: You may get the error message "You have already used this key before. If your private key gets compromised, we will have to revoke ALL CERTIFICATES associated with this key." if there is a blank line before the CSR in the box (and maybe for other syntax errors too). Do not proceed, but make sure the CSR format is OK and resubmit. Of course, you will also get this message if you are trying to reuse a key.

2025-01-13: The need to accept the terms of use etc twice will be removed in the future.

Your certificate request will now be listed under Pending Certificates until one of your Enterprise Approver approves it. An email is sent to the notification alias about the pending approval.

When an Enterprise Approver has approved the certificate, you can download it using the download arrow to the right of the certificate in the listing.

2025-01-13: We will add more information about download options when the correct certificate chain is in place.

S/MIME certificates

2025-01-10: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.

Approving certificates

Server certificates

You need to have the Certificate Approver role to approve a certificate request. Also, you cannot approve your own request.

As Enterprise Approver, go to Enterprise → SSL Requests. Select the request in the list of pending requests. On the page you get, the Consent tab should be active (with a red X showing it is not yet handled). Enter any comment you want in the message box and use the Accept button to approve the certificate.

If you want, you can also have the message sent to the requester using the "Inform user" checkbox, and if you press Update instead of Accept, the user will get the message but the certificate will not (yet) be approved. The file options at the top is for including documents, if they are relevant to the approval process.

After approving, the certificate is issed and the request is moved to the Completed section.

As approver, your can use Enterprise → SSL Certificates to see certificates. If you select a certificate, you will see the Details pane, and can also choose the Download and Revoke tabs to do that.

The certificate requester will get an email about the certificate and can download it (see above).

S/MIME certificates

2025-01-13: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.

ACME

2025-01-10: ACME via HARICA is not at this moment on par with what was offered by Sectigo, but improvements are on the roadmap. We will update this section when it is in place. We recommend using Let's Encrypt for ACME as of now.

API access

2025-01-17: The current API offered by HARICA is basically the one used between the web browser and their backend. If you are an experienced API user, you may be able to use this already, but it is not for the faint of heart. We will update this section if and when the API is enhanced for automation tasks.

Resources for those who would like to try it anyway:

We ask that you use the staging environment (cm-stg-harica.gr) for testing instead of the production environment (cm.harica.gr) if your tests will involve requesting certificates. Contact tcs@sunet.se if you need help to set up your Enterprise there for testing (configuration from production is not mirrored there).

SAML configuration

2025-01-10: This section will be added. There is some information already at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ

Certificate Chains

Resetting Two-Factor Authentication (TOTP)

To reset the two-factor authentication for yourself, if you can still login via the old two-factor, go to the menu in the top right corner where the name is displayed, select Profile and then under Two-Factor Authentication (2FA) first Disable and then Enable again.

To reset the two-factor for another user, have one of your Enterprise Admins go to the Account Info pane for the user (as above under Administrator Roles) and use the Disable button for Two-Factor Authentication (2FA). The user will then have to login and enable two-factor authentication again (using the menu in the top right corner where the name is displayed, select Profile and then under Two-Factor Authentication (2FA) use Enable).

If you are the only Enterprise Admin in your Enterprise and you ned to reset the two-factor authentication for yourself and you cannot login via the old two-factor, you need to contact tcs@sunet.se for help.

Roles will be lost! When the two-factor authentication is disabled for a user (by any of the means above), all roles that user has is removed and has to be added back again by an Enterprise Admin. We recommend that you have at least two Enterprise Admins so one of you can reinstate the other if they need to reset their two-factor authentication. Having more than one Enterprise Admin is of course also a good idea for general operational redundancy.

Requesting certificates

All certificate requests are done with menu options in the left-side menu of the system.

You need to have a user in the system (see above) to create certificate requests, but the user does not need to have any administrator/approver roles.

You cannot approve your own request. Another user with the Enterprise Approver role needs to do that. In converse, if you are the one who will approve the certificate, you need to have another user request it.

Server certificates

Use the Certificate Requests → Server alternative in the left-side-menu.

Adding names

On the first page, you can first enter an optional friendly name for the certificate. The friendly name is only shown to the requester in certificate listings. It will not be seen by approvers/admins. We suggest you leave it blank, as the CN (the first "real" name entered) will be shown in that case.

You then add one or more names to be present in the certificate. The first name added will be the CN of the certificate, and all names added will be present as SAN DNS entries in the certificate. The web interface talks about adding domains, but you are entering the full names you want in the certificate.

  • Added www: If you do not uncheck the checkbox below the name, an additional name with "www." prepended will be added as SAN DNS. 2025-01-13: The checkbox may be removed or default to disabled in the future.
  • Wildcards: If you want a wildcard name for *.subdomain.example.org, add only that and not subdomain.example.org. You will get subdomain.example.org in the certificate too.

No names for the certificate are picked up from the CSR you upload at the end of the request process. You have to add them at this stage. 2025-01-13: This may be changed in the future.

There is a limit of 100 names in the certificate.

Bulk adding using Import

You can also use the Import feature to import names from files, including:

  • CSR: Names are picked up from the SAN DNS extension part in the CSR. A name that is only present as CN will not be picked up. The filename has to end in .csr. You will have to upload the same CSR file again at the end where it is used for the key part.
  • Certificate: Names are picked up from the SAN DNS extension part in the certificate. The filename has to end in .pem, .crt or .cer.
  • CSV file: This really just a file with DNS Name on the first line and the requested names on consecutive lines. The filename has to end in .csv.

Selecting certificate type

On the next page, select the certificate type:

  • Domain-only (DV) which is always available as soon as the domain is validated. This is the same type of certificate you get from Let's Encrypt. It only contains CN=name in the subject (as well as all the names as SAN DNS entries).
  • For enterprises or organizations (OV), which is available after Organization Validation. This is the same type of certificate you got from Sectigo. In addition to the information in a DV certificate the subject also contains O=Organization name and L=Your city.
  • Do not select "For enterprises or organizations (EV)" as this is not included in the contract.

If the DV or OV option is shown as "from AMOUNT€ year" instead of "free",  do not proceed. Probable reasons are:

  • You have made a typo and entered a name that does not belong to your Enterprise. Start over and make sure the names are right.
  • You have tried to use a domain of yours that you have not yet added and validated in the system. See Adding additional domains above.

Confirm the choice of type and then confirm the information and accept the terms of use etc.

Submitting the CSR

On the Submit Request page, use Submit CSR manually to get a box to paste the CSR into. Accept the terms of use etc again and Submit the request.

2025-01-16: You may get the error message "You have already used this key before. If your private key gets compromised, we will have to revoke ALL CERTIFICATES associated with this key." if there is a blank line before the CSR in the box (and maybe for other syntax errors too). Do not proceed, but make sure the CSR format is OK and resubmit. Of course, you will also get this message if you are trying to reuse a key.

2025-01-13: The need to accept the terms of use etc twice will be removed in the future.

Your certificate request will now be listed under Pending Certificates until one of your Enterprise Approver approves it. An email is sent to the notification alias about the pending approval.

When an Enterprise Approver has approved the certificate, you can download it using the download arrow to the right of the certificate in the listing.

2025-01-13: We will add more information about download options when the correct certificate chain is in place.

IGTF (aka Grid, eScience) Server Certificates

Prerequisites

Before you can request this type of certificate you need to:

  • Complete Organization Validation (see that heading above)
  • Enable IGTF certificates. As Enterprise Admin, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the tag icon (Image Added) at the top almost rightmost corner to get to the Update Enterprise tags page. Enable the "#IGTF-Organization" toggle and Save.

Requesting

When requesting a server certificate, choose OV as the type on the second page (after entering names). Confirm on the next page. Then on the "Organization information" page, enable the "Request an IGTF eScience Digital Certificate" checkbox. As stated there, your "L" and "O" name components will be converted to ASCII as needed.

IGTF (aka Grid, eScience) Client Auth Certificates

Prerequisites

Before you can request this type of certificate you need to:

  • Configure your IdP to release the required attributes to HARICA. See "SAML configuration" below.
  • Enable IGTF certificates. As Enterprise Admin, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the tag icon (Image Added) at the top almost rightmost corner to get to the Update Enterprise tags page. Enable the "#IGTF-Organization" toggle and Save.

Requesting

  • Login at https://cm.harica.gr/ using Academic Login and your user at your IdP. Using Academic Login is necessary for this to work.
  • In the menu at the left edge, select IGTF Client Auth. Do not select Client Auth (which is for non-IGTF authentication certs not included in our contract).
  • Select GÉANT Personal Authentication as certificate type and confirm that again on the next page.
  • Accept the terms and proceed using the Submit Request button.
  • Use the Enroll your certificate button in the list showing Ready Certifcates.
  • Use the Generate Certificate option on the next page and make sure to select a passphrase you will remember for later. Check the "I understand..." checkbox and proceed using the Enroll Certificate button.
  • Use the Download button on the Get Your Certificate page to save the PKCS#12 file containing key and certificate.
  • Import the PKCS#12 file where you need it.

Power users may choose to use the Submit CSR manually (having generated a key before, and combining the key and the downloaded certificate as needed afterwards).

S/MIME certificates

2025-01-10: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.

Approving certificates

Server certificates

You need to have the Certificate Approver role to approve a certificate request. Also, you cannot approve your own request.

As Enterprise Approver, go to Enterprise → SSL Requests. Select the request in the list of pending requests. On the page you get, the Consent tab should be active (with a red X showing it is not yet handled). Enter any comment you want in the message box and use the Accept button to approve the certificate.

If you want, you can also have the message sent to the requester using the "Inform user" checkbox, and if you press Update instead of Accept, the user will get the message but the certificate will not (yet) be approved. The file options at the top is for including documents, if they are relevant to the approval process.

After approving, the certificate is issed and the request is moved to the Completed section.

As approver, your can use Enterprise → SSL Certificates to see certificates. If you select a certificate, you will see the Details pane, and can also choose the Download and Revoke tabs to do that.

The certificate requester will get an email about the certificate and can download it (see above).

Potential reasons for delays after approving

  • Problems with DNS queries when HARICA is checking for CAA records. See the note about this under Add CAA record in DNS for the domain if needed above.

S/MIME certificates

2025-01-13: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.

ACME

2025-01-10: ACME via HARICA is not at this moment on par with what was offered by Sectigo, but improvements are on the roadmap. We will update this section when it is in place. We recommend using Let's Encrypt for ACME as of now.

API access

2025-01-17: The current API offered by HARICA is basically the one used between the web browser and their backend. If you are an experienced API user, you may be able to use this already, but it is not for the faint of heart. We will update this section if and when the API is enhanced for automation tasks.

Resources for those who would like to try it anyway:

We ask that you use the staging environment (cm-stg-harica.gr) for testing instead of the production environment (cm.harica.gr) if your tests will involve requesting certificates. Contact tcs@sunet.se if you need help to set up your Enterprise there for testing (configuration from production is not mirrored there).

SAML configuration

See the information at GEANT's wiki https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ#TCS2025FAQ-IsSAMLSupported?

For ADFS Toolkit, you can also look at the HARICA section at Manual attribute releases with ADFS Toolkit and for Shibboleth at How-To - SAML-konfiguration Sunet TCS

We recommend that you use the STAGING environment for testing basic attribute release, user creation/login etc as that database is not shared with the production environment so you will not interfere with existing users. When it works there, you can enable it for PRODUCTION as well.

Certificate chains

Server Certificates

If you do not have specific demands to support older devices and operating systems that have not got trust stores updates since 2021, we recommend that you only serve the GEANT TLS RSA 1 intermediate certificate as a chain certificate (or the GEANT TLS ECC 1 version if you have an ECC certificate). The full details of the chains follow below.

RSA server certificates (DV, OV, grid)

Your server certificate is signed by

CN=GEANT TLS RSA 1, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=390054, certificate https://crt.sh/?id=16099180997. PEM download https://crt.sh/?d=16099180997)

which is signed by

CN=HARICA TLS RSA Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=202184)

which should be in the browser/OS/etc trust stores as a self-signed CA certificate (https://crt.sh/?id=4147041876), but is also available as an intermediate CA certificate (https://crt.sh/?id=5191324706) signed by

CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
(CA https://crt.sh/?caid=14566)

which should be in the browser/OS/etc trust stores on older devices.

ECC server certificates (DV, OV, grid)

Your server certificate is signed by

CN=GEANT TLS ECC 1,O=Hellenic Academic and Research Institutions CA,C=GR
(CA https://crt.sh/?caid=390050, certificate https://crt.sh/?id=16099180990, PEM download https://crt.sh/?d=16099180990)

which is signed by

CN=HARICA TLS ECC Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=202185)

which should be in the browser/OS/etc trust stores as a self-signed CA certificate (https://crt.sh/?id=4147045948), but is also available as
an intermediate CA certificate (https://crt.sh/?id=5191324707) signed by

CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
https://crt.sh/?caid=14546

which should be in the browser/OS/etc trust stores on older devices2025-01-15: Certificates are still issued with HARICA's existing intermediates, not the custom TCS intermediates that will be used in the future. We will add more information here when the TCS intermediates are in place.