This is for administrators at Sunet TCS members for the 2025- "HARICA generation" of the Sunet TCS service.
2025-01-13: This document is work in progress and will be updated as features are added and bugs/limitations removed, and as we gain more experience with the system.
The HARICA Certificate Manager is located at https://cm.harica.gr
Consider joining the TCS network at https://forum.sunet.se/s/tcs/ to get information and to be able to discuss the service with Sunet TCS and other users. Important news will also be shared, as before, using the SUNET-TCS-MEMBERS mailing list (where one function address per organization is present since your organization joined the service), but information about minor issues may be shared here, as well as tentative information before we know enough to raise it to the SUNET-TCS-MEMBERS level.
Email tcs@sunet.se after making sure that this document does not contain the answer to your question or a solution to your problem. Do not email Kent's personal email address.
2025-01-10: For the time being, contact HARICA support only on instructions from Sunet TCS. We will provide you with the email address when doing so.
Look at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ but keep in mind that parts of that documentation is for NREN administrators (called Enterprise Manager in HARICA CM) and not for organisation administrators (called Enterprise Admin in HARICA CA).
The HARICA Certificate Manager of course looks different from the Sectigo Certificate Manager. We are all using the same URL for HARICA CM (not a specific Sunet URL).
The containter that keeps your organization details together with the set of domains and certificates that belong to you is now called Enterprise in HARICA CM, instead of Organization (as in Sectigo CM) or Division (as earlier at DigiCert).
You who are administrators at this level are now called Enterprise Admin (approximately the same role as RAO in the Sectigo CM).s you
There is no direct replacement for the Department level that existed below Organization in the Sectigo CM, and as such there is no role corresponding to DRAO.
2025-01-10: There may be ways to implement this in the future. Please do not attempt do recreate this using Subunits or other things you find in the interface unless instructed by Sunet TCS.
The HARICA CM allows people to create users that will be matched to you organization via domain matching on the email address. Such users start out without any privileges in the system (cannot approve certificates, cannot add domains etc) but they can request certificates. This resembles the model we had with DigiCert (for Sectigo, there were only admin users of various levels).
A user cannot approve their own requests, regardless of privileges in the system. You need to have one user request a certificate and another user (with the Enterprise Approver role) approve it.
From the start of the service your can get this before your Organization Validation is completed:
When Organization Validation is completed you can also get:
Server certificate EV is not part of the contract.
2025-01-10: Server certificates and authentication certificates for grid use will become available later
2025-01-10: Other certificate types such as code-signing should become available later for a per-certificate fee
You cannot tune notifications as you could for Sectigo. From start, a single function email address per enterprise will get all notifications for new requests, expiring validations etc.
2025-01-13: For the first few days, only request membership if you have the need to issue certificates now that cannot be satisfied via Let's Encrypt or other services available to you. We will remove this comment when everybody is welcome.
To get access to the new system, first:
Then email tcs@sunet.se with a subject line "TCS2025: organization name" (substitute your real organization name). Do not send this email to Kent's personal email address. Do not come up with another form of subject line. In the email, include:
When we receive and handle the requests, we will create your Enterprise (the HARICA term for the container for your organization and its domains, certificates etc) in the system and make the indicated user the first Enterprise Manager for you.
Contact tcs@sunet.se about membership in the service. Do not send any paper documents before that and do not register in the HARICA CM system.
If you are not using CAA records to limit which Certificate Authorities are allowed to issue certificates for a domain, you do not need to add anything for HARICA.
On the other hand, if you are currently using CAA records in DNS to specify allowed Certificate Authorities for a domain, you need to make sure there is a CAA record allowing harica.gr in addition to the ones you already have.
To validate the first domain added when your enterprise was created or any additional domains added later, go to Enterprise → Admin and select your enterprise line. In the new pane, select Domains. You will now be able to use the Validate Domain button to initiate Domain Control Validation (DCV).
You can select email or DNS methods:
In the field for "Email of user that will validate the Enterprise" you enter the email of yourself or any other user registered in HARICA CM that will complete the validation. Then follow the instructions in the email you get to complete validation.
Domains that have not been validated yet have a validity date in the past (the day before the domain was added).
To be able to used additional domains you need to add them first, and then validate as above. To add, go to Enterprise → Admin and select your enterprise in the list. In the pane that appears, click your enterprise in the new list too. At the enterprise information page you get to, use the globe icon at the top right corner to get to the Add Domain page.
Download the sample CSV file and edit it to add one or more domains instead of the HARICA example names. Upload the edited file and accept it. The domains will not show up at once (there is a manual check by HARICA before they are accepted). When the domains have been added you can validate them as per above.
2025-01-10: The CSV parser requires the first line to contain the text Domain without quotes around it. If your spreadsheet program adds quotes, you may have to removed them. In other words, the expected file format is a test file with Domain on the first line and then one or more domain names on the subsequent lines.
Contact tcs@sunet.se if this is needed.
For you to be able to issue server certificates of the OV type, or S/MIME IV+OV, the organization validation needs to be completed. That can be done by Sunet TCS or by you.
2025-01-10: We ask you to wait with this. You can still issue server certificates DV and email-only S/MIME-certificates. If you need OV, contact tcs@sunet.se. We will provide further instructions here when we and HARICA are ready for everybody to be organization validated.
Everybody who is to access the system (for certificate requests or as administrator) needs to have a user:
As an Enterprise Admin you can elevate additional users to have more privileged roles than normal users (who can just request certificates).
Then, as Enterprise Admin, go to Enterprise → Admin and select the Users tab close to the top (between Enterprises and Certificates). Select the appropriate user from the list presented (which will include all users with emails under your domains). In the pane shown, select the Account info pane. You can select to additional roles for the user:
You also need to use Manage Groups to add your enterprise name to the Validator groups for the user, and use the Save button.
2025-10-13: If the choices you make does to seem to "take" when you look at the Account info again, exit the Users pane for something else and go back and check again. The information should now be correct.
All certificate requests are done with menu options in the left-side menu of the system.
You need to have a user in the system (see above) to create certificate requests. You cannot approve your own request. Another user with the Enterprise Approver role needs to do that).
Use the Certificate Requests → Server alternative in the left-side-menu.
On the first page, you enter an optional friendly name for the certificate and then add one or more names to be present in the certificate. The first name added will be the CN of the certificate, and all names added will be present as SAN DNS entries in the certificate. If you do not uncheck the checkbox below the name, an additional name with www prepended will be added as SAN DNS.
The friendly name is only shown to the requester in certificate listings. It will not be seen by approvers/admins. We suggest you leave it blank, as the CN (the first "real" name entered) will be shown in that case.
2025-01-13: The "Add www checkbox" may be removed to default to disabled in the future.
2025-01-13: No names for the certificate are picked up from the CSR you upload later. You have to add them at the stage. This may be changed in the future.
2025-01-13: There is currently a limit of 10 supplied names (20 in all if you accept all the www-prepended names too). This will be increased in the future.
On the next page, select the certificate type:
If the DV or OV option is shown as "from AMOUNT€ year" instead of "free", you have probably made a typo and entered a name for the certificate that is under a domain that does not belong to your Enterprise. Start over and make sure the names are right.
Confirm the choice of type and then confirm the information and accept the terms of use etc.
On the Submit Request page, use Submit CSR manually to get a box to paste the CSR into. Accept the terms of use etc again and Submit the request.
2025-01-16: You may get the error message "You have already used this key before. If your private key gets compromised, we will have to revoke ALL CERTIFICATES associated with this key." if there is a blank line before the CSR in the box (and maybe for other syntax errors too). Do not proceed, but make sure the CSR format is OK and resubmit. Of course, you will also get this message if you are trying to reuse a key.
2025-01-13: The need to accept the terms of use etc twice will be removed in the future.
Your certificate request will now be listed under Pending Certificates while an Enterprise Approver approves it. An email is sent to the notification alias about the pending approval.
When the Enterprise Approver has approved the certificate, you can download it using the download arrow to the right of the certificate in the listing.
2025-01-13: We will add more information about download options when the correct certificate chain is in place.
2025-01-10: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.
You need to have the Certificate Approver role to approve a certificate request. Also, you cannot approve your own request.
As Enterprise Approver, go to Enterprise → SSL Requests. Select the request in the list of pending requests. On the page you get, the Consent tab should be active (with a red X showing it is not yet handled). Enter any comment you want in the message box and use the Accept button to approve the certificate.
If you want, you can also have the message sent to the requester using the "Inform user" checkbox, and if you press Update instead of Accept, the user will get the message but the certificate will not (yet) be approved. The file options at the top is for including documents, if they are relevant to the approval process.
After approving, the certificate is issed and the request is moved to the Completed section.
As approver, your can use Enterprise → SSL Certificates to see certificates. If you select a certificate, you will see the Details pane, and can also choose the Download and Revoke tabs to do that.
The certificate requester will get an email about the certificate and can download it (see above).
2025-01-13: This section will be added soon. Most of you will like to wait until self-service with federated login is in place.
2025-01-10: ACME via HARICA is not at this moment on par with what was offered by Sectigo, but improvements are on the roadmap. We will update this section when it is in place. We recommend using Let's Encrypt for ACME as of now.
2025-01-17: The current API offered by HARICA is basically the one used between the web browser and their backend. If you are an experienced API user, you may be able to use this already, but it is not for the faint of heart. We will update this section if and when the API is enhanced for automation tasks.
Resources for those who would like to try it anyway:
We ask that you use the staging environment (cm-stg-harica.gr) for testing instead of the production environment (cm.harica.gr) if your tests will involve requesting certificates. Contact tcs@sunet.se if you need help to set up your Enterprise there for testing (configuration from production is not mirrored there).
2025-01-10: This section will be added. There is some information already at https://wiki.geant.org/display/TCSNT/TCS+2025+FAQ
2025-01-15: Certificates are still issued with HARICA's existing intermediates, not the custom TCS intermediates that will be used in the future. We will add more information here when the TCS intermediates are in place.