This is for administrators at Sunet TCS members for the 2025- "HARICA generation" of the Sunet TCS service.

THIS IS WORK IN PROGRESS. PLEASE DO NOT REGISTER / SEND EMAILS BEFORE WE INFORM YOU ON SUNET-TCS-MEMBERS AND SUNET FORUM TCS.

URLs

The HARICA Certificate Manager is located at https://cm.harica.gr 

Getting Help

Join the TCS network at SUNET Forum

Consider joining the TCS network at https://forum.sunet.se/s/tcs/ to get information and to be able to discuss the service with Sunet TCS and other users. Important news will also be shared, as before, using the SUNET-TCS-MEMBERS mailing list (where one function address per organization is present since your organization joined the service), but information about minor issues may be shared here, as well as tentative information before we know enough to raise it to the SUNET-TCS-MEMBERS level.

Help from SUNET TCS

Email tcs@sunet.se after making sure that this document does not contain the answer to your question or a solution to your problem. Do not email Kent's personal email address.

Help from HARICA support

2025-01-10: For the time being, contact HARICA support only on instructions from Sunet TCS. We will provide you with the email address when doing so.

GEANT / HARICA Documentation

Look at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ but keep in mind that parts of that documentation is for NREN administrators (called Enterprise Manager in HARICA CM) and not for organisation administrators (called Enterprise Admin in HARICA CA).

Differences from the Sectigo generation 2020-2024

New vendor, new web interface

The HARICA Certificate Manager of course looks different from the Sectigo Certificate Manager. We are all using the same URL for HARICA CM (not a specific Sunet URL).

The container for your organization is now called Enterprise

The containter that keeps your organization details together with the set of domains and certificates that belong to you is now called Enterprise in HARICA CM, instead of Organization (as in Sectigo CM) or Division (as earlier at DigiCert).

You who are administrators at this level are now called Enterprise Admin (approximately the same role as RAO in the Sectigo CM).s you

No Departments

There is no direct replacement for the Department level that existed below Organization in the Sectigo CM, and as such there is no role corresponding to DRAO.

2025-01-10: There may be ways to implement this in the future. Please do not attempt do recreate this using Subunits or other things you find in the interface unless instructed by Sunet TCS.

Users who are not administrators are available again

The HARICA CM allows people to create users that will be matched to you organization via domain matching on the email address. Such users start out without any privileges in the system (cannot approve certificates, cannot add domains etc) but they can request certificates. This resembles the model we had with DigiCert (for Sectigo, there were only admin users of various levels).

Different certificate offerings

From the start of the service your can get this before your Organization Validation is completed:

• Server certificate DV
• S/MIME certificate email-only

When Organization Validation is completed you can also get:

• Server certificate OV
• S/MIME certificate OV + IV (contains organization information and your personal information)

Server certificate EV is not part of the contract.

2025-01-10: Server certificates and authentication certificates for grid use will become available later

2025-01-10: Other certificate types such as code-signing should become available later for a per-certificate fee

Getting access to the system

Members of the "Sectigo generation" 2020-2024 service

To get access to the new system, first:

• Have the person who will become the first Enterprise Admin for your organization to go https://cm.harica.gr and sign up to create a user. That person should be one who has been a RAO in the Sectigo CM and you should use the same email address as before if at all possible. The email address should belong to your main domain. 2025-10-01: The name fields do not accept characters like "åäö" or "-". Do your best without this until we get this fixed.
• This user must also enable two-factor authentication (TOTP) using the profile page (available from the menu in the top right corner where your name is displayed, then under Two-Factor Authentication (2FA).

Then email tcs@sunet.se with a subject line like "TCS2025: organization name" and tell us:

• Organization name (official, the value you will get in the O attribute of the certificate)
• Locality (the value you will get in the L attribute of the certificate)
• Your main domain (you will be able to add additional domains later)
• Organization number ("organisationsnummer")
• A function email alias suitable for receiving notifications from HARICA (such as pending requests, expiring validations etc). 2025-10-01: This is mandatory for now. Later, you will be able to choose to instead have these emails sent to all Enterprise Admins
• Email for the first Enterprise Admin of your organization, as created above.

When we receive and handle the requests, we will create your Enterprise (the HARICA term for the container for your organization and its domains, certificates etc) in the system and make the indicated user the first Enterprise Manager for you.

New members

Contact tcs@sunet.se about membership in the service. Do not send any paper documents before that and do not register in the HARICA CM system.

Domains

Validating domains

To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).