How do I acccess the HARICA service?
HARICA Cert Manager is available at: https://cm.harica.gr. HARICA services can also be accessed via the API - API documentation can be found here: https://developer.harica.gr/ and https://guides.harica.gr/docs/Guides/Developer/1.-Register-and-log-in/.
https://cm-stg.harica.gr/ can be used to test and get to know the service.
How do I get support from HARICA?
Please use the following support address: support-tcs@harica.gr.
What are the "levels" of authorisation called in the HARICA Service?
- Enterprise Manager = NREN Staff.
- Enterprise Admin = Organisational Staff with authorisation.
What is the onboarding process for HARICA?
The process is shown in the image below:
Where can I find supporting material for HARICA?
There are detailed support guides available at: https://guides.harica.gr/.
The following guides have also been created to explain the "Enterprise" workflow used for TCS:
Is SAML Supported?
TCS members that are also Identity Providers in eduGAIN must release the following attributes:
- givenName (oid:2.5.4.42)
- surname (oid:2.5.4.4)
- mail (oid:0.9.2342.19200300.100.1.3)
- edupersonTargetedID (oid:1.3.6.1.4.1.5923.1.1.1.10)
and may also release:
- eduPersonPrimaryAffiliation (oid:1.3.6.1.4.1.5923.1.1.1.5)
- eduPersonPrincipalName (required by GEANT for IGTF Personal Certificates) (oid:1.3.6.1.4.1.5923.1.1.1.6)
- eduPersonEntitlement (required for IGTF Personal Certificates) (oid:1.3.6.1.4.1.5923.1.1.1.7)
- Make sure you only send the values associated with TCS to HARICA SPs. Use "urn:mace:terena.org:tcs:personal-user" to signal permission to issue IGTF Personal Certificates
- schacHomeOrganization (oid:1.3.6.1.4.1.25178.1.2.9),
to the following HARICA EntityIDs:
- PRODUCTION
- “https://www.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/pki-grnet-sp”
- Test attribute release via https://cm.harica.gr/loginsaml/test.php
- STAGING:
- “https://cm-stg.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/harica-cm-stg-sp”
- Test attribute release via https://cm-stg.harica.gr/loginsaml/test.php
- DEV:
Known issues:
- Multiple values in the mail attribute is currently not supported.
Can I order EV Certificates?
EV certificates are NOT included in the HARICA TCS offer as we no longer see any value in supporting this certificate type as a default option. It is possible to purchase these (EV TLS) and other types of certificates (Code Signing, Qualified Electronic Signatures/Seals, QWACs) and remote signing services on an individual basis from HARICA if required for specific use cases.
Where can I find information about the HARICA roots?
This is available at: https://repo.harica.gr/rep_dyn.
How Do I use ACME?
You will need to use: https://acme.harica.gr/TCS-DV/directory and to follow the instructions at: https://guides.harica.gr/docs/Guides/Server-Certificate/ACME-Instructions/. You will also need the KeyID and HMAC key – please contact your NREN for this information.
What Type of Certificate Do I Need?
Domain Validation (DV), Organisation Validation (OV) and Extended Validation (EV) certificates were designed to give a different level of confidence in the certificate types because the Certificate Authority carries out more stringent checks on the organisation requesting the certificate at each level. Browsers used to signal this in the address bar, and the idea was the user could make different decisions based on this security level. Placing this level of technical knowledge on the user has now been broadly debunked and this information is no longer prominently signalled.
For the same key size and encryption algorithm DV/OV/EV certs are indistinguishable in terms of encryption security. In most popular browsers, there is now no easily visible difference between these certificate types unless the user looks deep into the certificate settings. The increased levels of validation requirements also make automation harder, and with changes to certificate validity periods once more being discussed by the CA/B Forum, automation should now be considered essential by all organisations.
For the majority of use cases, DV certificates should serve your purposes well. You may find certain implementations or use cases still insist on OV or EV certificates and these can still be obtained via TCS (at an extra cost for EV), but we recommend using DV for most circumstances.
Why Not Just Use Let's Encrypt?
Let's Encrypt is a great free service and works well for many use cases, but has some limitations that a managed service like TCS can help with. This includes:
- Certificate life cycle management through an easy to use and read portal - any administrator can get a clear overview of ordered certificates and their lifespan.
- Ability to order multiple certificate types from one place.
- OV and EV as an option for specific use cases.
- Support for IGTF certificates (coming soon!).
- A support desk.
- No rate limits (Let's Enrypt limits the number of requests you can make in certain time periods).
- EU based terms and conditions and contractual terms negotiated for you.
- Additional certificate types alongside server certificates.
Why Is My Certificate Not Trusted?
If you are seeing an issue where a HARICA certificate shows as not trusted or not valid, this typically means that the system using the certificate does not have access to the root or intermediary certificate. There's normally a way for these to be added - we suggest you contact the service owner or helpdesk for the service. All roots and intermediaries can be found at: https://repo.harica.gr/rep_dyn.
Some of examples of where we have found solutions to these problems:
- Outlook app for ios does not trust certificate? This might be helpful: https://techcommunity.microsoft.com/blog/exchange/how-to-configure-smime-in-office-365/584516.
- The Java key store only has the 2015 HARICA intermediates built in - make sure these are updated to the 2021.
Why won't my CSR upload?
- Make sure it is a csr and not the certificate itself! (-----BEGIN CERTIFICATE REQUEST-----).
- Make sure there's no spaces or breaking lines before or after the request.
How Do I Request a Wildcard?
Wildcard certificates can be requested using the normal processes. If you request a wildcard (e.g. *.geant.org) there's no need to also include geant.org in the request.
How Do I Request an OV Server Certificate?
Firstly, the organisation must be configured to enable IGTF certificates. A “Tags” button has been added to the Enterprise Information page (upper right corner). This can be used to toggle IGTF certificate issuance on.
Organisations can then request an IGTF server certificate as part of the normal server workflow by ticking the appropriate box.
