Versions Compared

Old Version 79

changes.mady.by.user Kent Engström

Saved on

compared with

New Version Current

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The HARICA Certificate Manager is located at https://cm.harica.gr Y

Getting Help

Join the TCS network at SUNET Forum

...

Note: before issuing a certificate, HARICA has to verify that a correct CAA record or no CAA record at all) is in place for all names up to your base domain. For example, if you include the name ad.internal.example.org in the certificate, you must correctly answer for ad.internal.example.org, internal.example.org and example.org. If a request for any of the names result in no answer at all when queried from the outside (for example due to firewalling), or an error like SERVFAIL, the certificate will not be issued.

You might want to check the name for DNS problems (including DNSSEC) at https://dnsviz.net/

Validating domains

To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).

...

On the next page, select the certificate type:

  • Domain-only (DV) which is always available as soon as the domain is validation and only includes domain informationvalidated. This is the same type of certificate you get from Let's Encrypt. It only contains CN=name in the subject (as well as all the names as SAN DNS entries).
  • For enterprises or organizations (OV), which is available after Organization Validation. This is the same type of certificate you got from Sectigo. In addition to the information in a DV certificate the subject also contains O=Organization name and L=Your city.
  • Do not select "For enterprises or organizations (EV)" as this is not included in the contract.

...

For ADFS Toolkit, you can also look at the HARICA section at Manual attribute releases with ADFS Toolkit and for Shibboleth at How-To - SAML-konfiguration Sunet TCS

We recommend that you use the STAGING environment for testing basic attribute release, user creation/login etc as that database is not shared with the production environment so you will not interfere with existing users. When it works there, you can enable it for PRODUCTION as well.

Certificate

...

chains

Server Certificates

If you do not have specific demands to support older devices and operating systems that have not got trust stores updates since 2021, we recommend that you only serve the GEANT TLS RSA 1 intermediate certificate as a chain certificate (or the GEANT TLS ECC 1 version if you have an ECC certificate). The full details of the chains follow below.

RSA server certificates (DV, OV, grid)

Your server certificate is signed by

CN=GEANT TLS RSA 1, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=390054, certificate https://crt.sh/?id=16099180997. PEM download https://crt.sh/?d=16099180997)

which is signed by

CN=HARICA TLS RSA Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=202184)

which should be in the browser/OS/etc trust stores as a self-signed CA certificate (https://crt.sh/?id=4147041876), but is also available as an intermediate CA certificate (https://crt.sh/?id=5191324706) signed by

CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
(CA https://crt.sh/?caid=14566)

which should be in the browser/OS/etc trust stores on older devices.

ECC server certificates (DV, OV, grid)

Your server certificate is signed by

CN=GEANT TLS ECC 1,O=Hellenic Academic and Research Institutions CA,C=GR
(CA https://crt.sh/?caid=390050, certificate https://crt.sh/?id=16099180990, PEM download https://crt.sh/?d=16099180990)

which is signed by

CN=HARICA TLS ECC Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
(CA https://crt.sh/?caid=202185)

which should be in the browser/OS/etc trust stores as a self-signed CA certificate (https://crt.sh/?id=4147045948), but is also available as
an intermediate CA certificate (https://crt.sh/?id=5191324707) signed by

CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
https://crt.sh/?caid=14546

which should be in the browser/OS/etc trust stores on older devices2025-01-15: Certificates are still issued with HARICA's existing intermediates, not the custom TCS intermediates that will be used in the future. We will add more information here when the TCS intermediates are in place.