Page History

...

The OCSP end-point for the GEANT TCS private CAs is http://ocsp.geant-prv.harica.gr 

Root and Intermediate for server (TLS) certificates

For the RSA certificate chain

• Issuing CA for GEANT OV TLS (RSA): CN=GEANT TLS RSA 1,O=Hellenic Academic and Research Institutions CA,C=GR
• Cross-signed Intermediate Root CA for GEANT OV TLS (RSA): CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR (for maximum compatibility applications, otherwise do not include in chain)

For the ECC certificate chain

• Issuing CA for GEANT OV TLS (ECC): CN=GEANT TLS ECC 1,O=Hellenic Academic and Research Institutions CA,C=GR
• Cross-signed Intermediate Root CA for GEANT OV TLS (ECC): CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR (for maximum compatibility applications, otherwise do not include in chain)

Installation in Apache httpd's mod_ssl

To create the 'SSLCertificateChainFile' for Apache, concatenate the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety), and specify this file in the Apache mod_ssl configuration.

• Download the combined 'maximum compatibility' SSLCertificateChainFile for RSA
• Download the combined 'maximum compatibility' SSLCertificateChainFile for ECC

The server certificate itself goes into a separate file ('SSLCertificateFile') in PEM format, and the private kay also in its own file ('SSLCertificateKeyFile').

Installation in Nginx

For Nginx in the ssl_certificate directive in the http {} section, you would include your server certificate (downloaded from CM), the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety) in that order in a single file. The private key goes (separately) in the file specified under ssl_certificate_key .

Policy Management Authority

...