Versions Compared

Old Version 25

changes.mady.by.user Nicole Harris

Saved on

compared with

New Version Current

changes.mady.by.user Nicole Harris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

How do I

...

access the HARICA service?

HARICA Cert Manager is available at: https://cm.harica.gr.  HARICA services can also be accessed via the API - API documentation can be found here: https://developer.harica.gr/ and https://guides.harica.gr/docs/Guides/Developer/1.-Register-and-log-in/

...

Please use the following support address: support-tcs@harica.gr. 

What certiicates are available via HARICA?

Please see: TCS Certificate Types 2025

What are the "levels" of authorisation called in the HARICA Service?

...

Is SAML Supported? 

TCS members that are also Identity Providers in eduGAIN must release the following attributes:

  • givenName (oid:2.5.4.42)
  • surname (oid:2.5.4.4)
  • mail (oid:0.9.2342.19200300.100.1.3)
  • edupersonTargetedID (oid:1.3.6.1.4.1.5923.1.1.1.10)

and may also release:

  • eduPersonPrimaryAffiliation (oid:1.3.6.1.4.1.5923.1.1.1.5)
  • eduPersonPrincipalName (required by GEANT for IGTF Personal Certificates) (oid:1.3.6.1.4.1.5923.1.1.1.6)
  • eduPersonEntitlement (required for IGTF Personal Certificates) (oid:1.3.6.1.4.1.5923.1.1.1.7)
    • Make sure you only send the values associated with TCS to HARICA SPs. Use "urn:mace:terena.org:tcs:personal-user" to signal permission to issue IGTF Personal Certificates
  • schacHomeOrganization (oid:1.3.6.1.4.1.25178.1.2.9),

to the following HARICA EntityIDs:

...

Can I order EV Certificates?

EV certificates are NOT included in the HARICA TCS offer as we no longer see any value in supporting this certificate type as a default option. It is possible to purchase these (EV TLS) and other types of certificates (Code Signing, Qualified Electronic Signatures/Seals, QWACs) and remote signing services on an individual basis from HARICA if required for specific use cases.

Where can I find information about the HARICA roots?

This is available at: https://repo.harica.gr/rep_dyn

How Do I use ACME?

You will need to use: https://acme.harica.gr/TCS-DV/directory and to follow the instructions at: https://guides.harica.gr/docs/Guides/Server-Certificate/ACME-Instructions/.  You will also need the KeyID and HMAC key – please contact your NREN for this information. 

What Type of Certificate Do I Need?

...

Why won't my CSR upload? 

...

Wildcard certificates can be requested using the normal processes.  If you request a wildcard (e.g. *.geant.org) there's no need to also include geant.org in the request.

How Do I Request an IGTF OV Server Certificate?

Firstly, the organisation must be configured to enable IGTF certificates. A “Tags” button has been added to the Enterprise Information page (upper right corner). This can be used to toggle IGTF certificate issuance on. 

...

Organisations can then request an IGTF server certificate as part of the normal server workflow by ticking the appropriate box.

How are notfication emails for expiring S/MIME-certs done? 

For single requests the users receive an expiration notification 30, 15, 5 and 1 day prior from the CertManager portal, to their email address which is in the certificate.

For bulk requests the users receive an expiration notification only 30 days prior, from the CA, to their email address which is in the certificate. The email is like the following message.

The certificate with serial number xxxxxxxxxxxx, for the entity with Distinguished Name E=xxxxx@auth.gr, CN=Aristotle University of Thessaloniki, O=Aristotle University of Thessaloniki,L=Thessaloniki,C=GR, which has been issued by CN=HARICA S/MIME RSA SubCA R3, O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR, expires on 2025-05-14 10:14:45+03:00.

When the s/mime certificates from bulk requests will be registered to s/mime certificates tab also, then the users will receive an expiration notification 30, 15, 5 and 1 day prior from CertManager portal, to their email address which is in the certificate.

How do I order an IGTF Personal / Personal Automated certificate? 

For users logging into CertManager via SSO, whose identity provider supplies both the eduPersonPrincipalName (ePPN) and the entitlement urn:mace:terena.org:tcs:personal-user, the following options will be
available:

GÉANT Personal Authentication
GÉANT Personal Automated Authentication

Additionally, if the Enterprise admin has enabled the IGTF-Organization tag, the GÉANT Organization Automated Authentication option will also be available.

As discussed, the SubjectDN will be automatically ASCII-fied. However, if a custom ASCII-fied name is required, an Enterprise admin may submit a request directly to HARICA support at support-tcs@harica.gr.
We will then update the custom value in the Name ASCII-fied field under their Enterprise, which will override the automated ASCII-fication.

Finally, Enterprise Admins can assign the Client Authentication Approver role to members. While no approvals are required for IGTF client authentication certificates, since they are issued automatically, these approvers will still have visibility into all certificate requests submitted within their Enterprise.

How do I use ACME? 

There are two options for using ACME with HARICA

Enterprise AdminAvailable in all accounts TLS OVinstead of ACME challenges, the validations in CertManager (in the list of domains) are used(sub)domains both with include and exclude configurable in CertManager
Enterprise User  (End Users)Can be switched on manually (see below)TLS DVuser must always do an ACME challenge (http or dns) for domain validationall domains within the Enterprise

A domain MUST have been added to the Enterprise before ACME can be used for that domain. 

ACME for Enterprise Admins

Enterprise Admins can create EAB (External Account Binding) credentials that can be used for specific domains. It is then possible to skip domain validation in your ACME client.

  • Go to “Enterprise” → “Admin” and then select the “ACME” tab at the top:

Image Added


  • Accounts can be created with "Create+". The friendly name is here intended to help you identify the account more easily in the list: 

Image Added

  • Once the account is created, you need to define the scope of domains. To do this, select the account and go to the "Domains" tab:

Image Added

  • After this, use the EAB credentials under "Details" in your favorite ACME client or communicate them via a secure channel to the administrator who will be working with them. 

ACME for End Users

This is an additional implementation of ACME, which has functionally similar to Let's Encrypt: end users are given access (with a personal HMAC key) to an ACME server on which they can request certificates, as long as they can perform DCV during the ACME transaction.

  • Enabling is done once by an Enterprise Admin via Enterprise → Admin → select Enterprise → Click on the organization under "Legal Name" → press the "tags" button at the top right (picture of a label). There the switch for #ACME-Personal can be turned on:

Harica_CertManager_-_Enterprises.jpegImage Added


  • This will make a new ACME button available to all users in the left menu to manage ACME accounts. When using Personal ACME, a DNS-01 or HTTP-01 challenge must be performed for each certificate and the HMAC key must be specified.

Why do I need to provide identity documentation for IV+OV certificates?

This can be avoided by agreeing to "Automated S/MIME Certificate Issuance via SAML Entitlement" permissions under the Enterprise information page.  This will only be possible for SAML-enabled accounts as the SAML information is taken as equivalent to the identity vetting done by the CA. 

Image AddedImage Added