...
The HARICA Certificate Manager is located at https://cm.harica.gr
Getting Help
Join the TCS network at SUNET Forum
...
Server certificate EV is not part of the contract.
2025-01-10: Server certificates and authentication certificates for grid use will become available later2025-01-10: Other certificate types such as code-signing should become available later for a per-certificate fee
...
Note: before issuing a certificate, HARICA has to verify that a correct CAA record or no CAA record at all) is in place for all names up to your base domain. For example, if you include the name ad.internal.example.org in the certificate, you must correctly answer for ad.internal.example.org, internal.example.org and example.org. If a request for any of the names result in no answer at all when queried from the outside (for example due to firewalling), or an error like SERVFAIL, the certificate will not be issued.
You might want to check the name for DNS problems (including DNSSEC) at https://dnsviz.net/
Validating domains
To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).
...
Contact tcs@sunet.se if this is needed.
Organization Validation
For you to be able to issue server certificates of the OV type, or S/MIME IV+OV, the organization validation needs to be completed. That can be done by Sunet TCS or by you.
2025-03-12: You can issue server certificates DV When your Enterprise is first added to the system, its organization is not validated. You can still request DV server certificates and email-only S/MIME-certificates without OV. If you need OV for any reason, contact tcs@sunet.se to get this done for you. We will provide further instructions here when we and HARICA are ready for everybody to be organization validated.
Users & Authentication
Users
Everybody who is to access the system (for certificate requests or as administrator) needs to have a user:
You need to complete Organization Validation too if any of this applies to you:
- You need to issue IGTF (aka grid, eScience) server certificates, which are handled as a subtype of OV server certificates
- You need to issue OV server certificates for servers where DV server certificates are not acceptable (this should be a rare situation)
- You need to issue IV+OV S/MIME personal certificates
If any of the above conditions apply to you, contact tcs@sunet.se and ask us to initiate Organization Validation for you. Tell us which of the conditions above apply to you.
Users & Authentication
Users
Everybody who is to access the system (for certificate requests or as administrator) needs to have a user:
- The user must have registered at https://cm.harica.gr using the Sign up option.
- The email address must belong to a domain added to enterprise in the system.
- 2025-01-13: The given name and surname fields do not accept characters like "åäö" or "-". Do your best without this until we get this fixed.
- 2025-01-13: Sign up for a new account. Do not yet try the the Academic Login option to login using your SWAMID user. We will tell you when that option is working properly.
...
You then add one or more names to be present in the certificate. The first name added will be the CN of the certificate, and all names added will be present as SAN DNS entries in the certificate. The web interface talks about adding domains, but you are entering the full names you want in the certificate.
...
No names for the certificate are picked up from the CSR you upload at the end of the request process. You have to add them at this stage. 2025-01-13: This may be changed in the future.
You can also use the Import feature to import names from a CSV file. There There is a limit of 100 names in the certificate.
Selecting certificate type
On the next page, select the certificate type:
- Domain-only (DV) which is always available as soon as the domain is validation and only includes domain information. This is the same type of certificate you get from Let's Encrypt.
- For enterprises or organizations (OV), which is available after Organization Validation. This is the same type of certificate you got from Sectigo.
- Do not select "For enterprises or organizations (EV)" as this is not included in the contract.
Bulk adding using Import
You can also use the Import feature to import names from files, including:
- CSR: Names are picked up from the SAN DNS extension part in the CSR. A name that is only present as CN will not be picked up. The filename has to end in
.csr. You will have to upload the same CSR file again at the end where it is used for the key part. - Certificate: Names are picked up from the SAN DNS extension part in the certificate. The filename has to end in
.pem,.crtor.cer. - CSV file: This really just a file with
DNS Nameon the first line and the requested names on consecutive lines. The filename has to end in.csv.
Selecting certificate type
On the next page, select the certificate type:
- Domain-only (DV) which is always available as soon as the domain is validated. This is the same type of certificate you get from Let's Encrypt. It only contains
CN=namein the subject (as well as all the names as SAN DNS entries). - For enterprises or organizations (OV), which is available after Organization Validation. This is the same type of certificate you got from Sectigo. In addition to the information in a DV certificate the subject also contains
O=Organizationname andL=Your city. - Do not select "For enterprises or organizations (EV)" as this is not included in the contract.
If the DV or OV option is shown as If the DV or OV option is shown as "from AMOUNT€ year" instead of "free", do not proceed. Probable reasons are:
...
2025-01-13: We will add more information about download options when the correct certificate chain is in place.
S/MIME certificates
2025-01-10: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.
Approving certificates
Server certificates
You need to have the Certificate Approver role to approve a certificate request. Also, you cannot approve your own request.
As Enterprise Approver, go to Enterprise → SSL Requests. Select the request in the list of pending requests. On the page you get, the Consent tab should be active (with a red X showing it is not yet handled). Enter any comment you want in the message box and use the Accept button to approve the certificate.
If you want, you can also have the message sent to the requester using the "Inform user" checkbox, and if you press Update instead of Accept, the user will get the message but the certificate will not (yet) be approved. The file options at the top is for including documents, if they are relevant to the approval process.
After approving, the certificate is issed and the request is moved to the Completed section.
As approver, your can use Enterprise → SSL Certificates to see certificates. If you select a certificate, you will see the Details pane, and can also choose the Download and Revoke tabs to do that.
The certificate requester will get an email about the certificate and can download it (see above).
Potential reasons for delays after approving
- Problems with DNS queries when HARICA is checking for CAA records. See the note about this under Add CAA record in DNS for the domain if needed above.
S/MIME certificates
2025-01-13: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.
ACME
2025-01-10: ACME via HARICA is not at this moment on par with what was offered by Sectigo, but improvements are on the roadmap. We will update this section when it is in place. We recommend using Let's Encrypt for ACME as of now.
API access
2025-01-17: The current API offered by HARICA is basically the one used between the web browser and their backend. If you are an experienced API user, you may be able to use this already, but it is not for the faint of heart. We will update this section if and when the API is enhanced for automation tasks.
Resources for those who would like to try it anyway:
- https://guides.harica.gr/docs/Guides/Developer/1.-Register-and-log-in/ (and the rest of the subpages linked in the left-side menu)
- https://developer.harica.gr/
- https://software.nikhef.nl/experimental/tcstools/tcsg5/ (tool in Perl from our Dutch friends)
- haricatest.py (our own minimal sample code to demonstrate making API calls)
We ask that you use the staging environment (cm-stg-harica.gr) for testing instead of the production environment (cm.harica.gr) if your tests will involve requesting certificates. Contact tcs@sunet.se if you need help to set up your Enterprise there for testing (configuration from production is not mirrored there).
...
IGTF (aka Grid, eScience) Server Certificates
Prerequisites
Before you can request this type of certificate you need to:
- Complete Organization Validation (see that heading above)
- Enable IGTF certificates. As Enterprise Admin, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the tag icon (
) at the top almost rightmost corner to get to the Update Enterprise tags page. Enable the "#IGTF-Organization" toggle and Save.
Requesting
When requesting a server certificate, choose OV as the type on the second page (after entering names). Confirm on the next page. Then on the "Organization information" page, enable the "Request an IGTF eScience Digital Certificate" checkbox. As stated there, your "L" and "O" name components will be converted to ASCII as needed.
IGTF (aka Grid, eScience) Client Auth Certificates
Prerequisites
Before you can request this type of certificate you need to:
- Configure your IdP to release the required attributes to HARICA. See "SAML configuration" below.
- Enable IGTF certificates. As Enterprise Admin, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the tag icon () at the top almost rightmost corner to get to the Update Enterprise tags page. Enable the "#IGTF-Organization" toggle and Save.
Requesting
- Login at https://cm.harica.gr/ using Academic Login and your user at your IdP. Using Academic Login is necessary for this to work.
- In the menu at the left edge, select IGTF Client Auth. Do not select Client Auth (which is for non-IGTF authentication certs not included in our contract).
- Select GÉANT Personal Authentication as certificate type and confirm that again on the next page.
- Accept the terms and proceed using the Submit Request button.
- Use the Enroll your certificate button in the list showing Ready Certifcates.
- Use the Generate Certificate option on the next page and make sure to select a passphrase you will remember for later. Check the "I understand..." checkbox and proceed using the Enroll Certificate button.
- Use the Download button on the Get Your Certificate page to save the PKCS#12 file containing key and certificate.
- Import the PKCS#12 file where you need it.
Power users may choose to use the Submit CSR manually (having generated a key before, and combining the key and the downloaded certificate as needed afterwards).
S/MIME certificates
2025-01-10: This section will be added . There is some information already at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ
Certificate Chains
soon. Most of you will like to wait until self-service with federated login is in place.
Approving certificates
Server certificates
You need to have the Certificate Approver role to approve a certificate request. Also, you cannot approve your own request.
As Enterprise Approver, go to Enterprise → SSL Requests. Select the request in the list of pending requests. On the page you get, the Consent tab should be active (with a red X showing it is not yet handled). Enter any comment you want in the message box and use the Accept button to approve the certificate.
If you want, you can also have the message sent to the requester using the "Inform user" checkbox, and if you press Update instead of Accept, the user will get the message but the certificate will not (yet) be approved. The file options at the top is for including documents, if they are relevant to the approval process.
After approving, the certificate is issed and the request is moved to the Completed section.
As approver, your can use Enterprise → SSL Certificates to see certificates. If you select a certificate, you will see the Details pane, and can also choose the Download and Revoke tabs to do that.
The certificate requester will get an email about the certificate and can download it (see above).
Potential reasons for delays after approving
- Problems with DNS queries when HARICA is checking for CAA records. See the note about this under Add CAA record in DNS for the domain if needed above.
S/MIME certificates
2025-01-13: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.
ACME
2025-01-10: ACME via HARICA is not at this moment on par with what was offered by Sectigo, but improvements are on the roadmap. We will update this section when it is in place. We recommend using Let's Encrypt for ACME as of now.
API access
2025-01-17: The current API offered by HARICA is basically the one used between the web browser and their backend. If you are an experienced API user, you may be able to use this already, but it is not for the faint of heart. We will update this section if and when the API is enhanced for automation tasks.
Resources for those who would like to try it anyway:
- https://guides.harica.gr/docs/Guides/Developer/1.-Register-and-log-in/ (and the rest of the subpages linked in the left-side menu)
- https://developer.harica.gr/
- https://software.nikhef.nl/experimental/tcstools/tcsg5/ (tool in Perl from our Dutch friends)
- haricatest.py (our own minimal sample code to demonstrate making API calls)
We ask that you use the staging environment (cm-stg-harica.gr) for testing instead of the production environment (cm.harica.gr) if your tests will involve requesting certificates. Contact tcs@sunet.se if you need help to set up your Enterprise there for testing (configuration from production is not mirrored there).
SAML configuration
See the information at GEANT's wiki https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ#TCS2025FAQ-IsSAMLSupported?
For ADFS Toolkit, you can also look at the HARICA section at Manual attribute releases with ADFS Toolkit and for Shibboleth at How-To - SAML-konfiguration Sunet TCS
We recommend that you use the STAGING environment for testing basic attribute release, user creation/login etc as that database is not shared with the production environment so you will not interfere with existing users. When it works there, you can enable it for PRODUCTION as well.
Certificate chains
Server Certificates
If you do not have specific demands to support older devices and operating systems that have not got trust stores updates since 2021, we recommend that you only serve the GEANT TLS RSA 1 intermediate certificate as a chain certificate (or the GEANT TLS ECC 1 version if you have an ECC certificate). The full details of the chains follow below.
RSA server certificates (DV, OV, grid)
Your server certificate is signed by
CN=GEANT TLS RSA 1, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=390054, certificate https://crt.sh/?id=16099180997. PEM download https://crt.sh/?d=16099180997)
which is signed by
CN=HARICA TLS RSA Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=202184)
which should be in the browser/OS/etc trust stores as a self-signed CA certificate (https://crt.sh/?id=4147041876), but is also available as an intermediate CA certificate (https://crt.sh/?id=5191324706) signed by
CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
(CA https://crt.sh/?caid=14566)
which should be in the browser/OS/etc trust stores on older devices.
ECC server certificates (DV, OV, grid)
Your server certificate is signed by
CN=GEANT TLS ECC 1,O=Hellenic Academic and Research Institutions CA,C=GR
(CA https://crt.sh/?caid=390050, certificate https://crt.sh/?id=16099180990, PEM download https://crt.sh/?d=16099180990)
which is signed by
CN=HARICA TLS ECC Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=202185)
which should be in the browser/OS/etc trust stores as a self-signed CA certificate (https://crt.sh/?id=4147045948), but is also available as
an intermediate CA certificate (https://crt.sh/?id=5191324707) signed by
CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
https://crt.sh/?caid=14546
which should be in the browser/OS/etc trust stores on older devices2025-01-15: Certificates are still issued with HARICA's existing intermediates, not the custom TCS intermediates that will be used in the future. We will add more information here when the TCS intermediates are in place.