All documentation for the TCS will be added here. We are working to update the specific TCS Practice Statements, until further notice the Technical Addendum for the 5th generation TCS server augments the existing TCS CPS documents (both for Server and Personal certificates). Products not described therein are subject to the provider (HARICA) CP and CPS:
- HARICA Certificate Practice Statement
- HARICA Subscriber Agreement
- HARICA Privacy Notice
- HARICA Repository and authority meta-data
Table of Contents
| Table of Contents | ||
|---|---|---|
|
Certificate Practice Statements and Addenda
The following GEANT TCS specific practices and technical addenda are applicable to the 5th generation TCS service:
| Attachments | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
The Technical Addendum is an integral part of the CPS document suite and augments the TCS CPS for both Server and Personal certificates.
Private Root and Issuing Authorities (5th generation TCS)
| Attachments | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Certificate revocation lists for each of these CAs:
- Research and Education Trust RSA Root CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Root-R5.crl
- Research and Education Trust ECC Root CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Root-E5.crl
- GEANT TCS Authentication RSA CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Client-Auth-R5.crl
- GEANT TCS Authentication ECC CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Client-Auth-E5.crl
The OCSP end-point for the GEANT TCS private CAs is http://ocsp.geant-prv.harica.gr
Root and Intermediate for server (TLS) certificates
For the RSA certificate chain
- Issuing CA for GEANT OV TLS (RSA): CN=GEANT TLS RSA 1,O=Hellenic Academic and Research Institutions CA,C=GR
- Cross-signed Intermediate Root CA for GEANT OV TLS (RSA): CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR (for maximum compatibility applications, otherwise do not include in chain)
For the ECC certificate chain
- Issuing CA for GEANT OV TLS (ECC): CN=GEANT TLS ECC 1,O=Hellenic Academic and Research Institutions CA,C=GR
- Cross-signed Intermediate Root CA for GEANT OV TLS (ECC): CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR (for maximum compatibility applications, otherwise do not include in chain)
Installation in Apache httpd's mod_ssl
To create the 'SSLCertificateChainFile' for Apache, concatenate the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety), and specify this file in the Apache mod_ssl configuration.
- Download the combined 'maximum compatibility' SSLCertificateChainFile for RSA
- Download the combined 'maximum compatibility' SSLCertificateChainFile for ECC
The server certificate itself goes into a separate file ('SSLCertificateFile') in PEM format, and the private kay also in its own file ('SSLCertificateKeyFile').
Installation in Nginx
For Nginx in the ssl_certificate directive in the http {} section, you would include your server certificate (downloaded from CM), the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety) in that order in a single file. The private key goes (separately) in the file specified under ssl_certificate_key .
| Note | ||
|---|---|---|
| ||
Note: in case you obtained an OV certificate before March 6, 2025, you will have received server certificates signed by the 'generic' HARICA TLS issuer:
|
Policy Management Authority
The GEANT TCS Policy Management Authority consists of PKI policy experts appointed by GÉANT, the contracting party for the TCS. The TCS PMA members oversee the TCS CPS texts. For efficiency purposes, TCS PMA membership is restricted to a limited number of participants selected from the community. GÉANT is ultimately responsible for the TCS PMA membership.